Your data is an asset. Safeguarding it will help you comply with data protection laws and allow your business to thrive
A global leader in privacy guidance, audits, tools, training and software
IT Governance is a market leader in data privacy and cyber security solutions. Their broad suite of offerings is one of the most comprehensive in the world.
ITG affordable solutions have assisted numerous individuals and organizations in understanding the tangible aspects of data privacy. With substantial legal and technical proficiency, coupled with a 15-year history in cybersecurity risk management, ITG customers have complete confidence in entrusting us with their needs.
Speed up your compliance initiatives for GDPR, CPRA, and other regulations ISO 27701 by utilizing ITG collection of top-performing Tools, Templates and eBooks.
Data-deletion service’s patent covers removing personal information such as geolocation, biometrics, and phone records from a vehicle by using a user-computing device
— Privacy4Cars, the first privacy-tech company focused on solving the privacy and security issues posed by vehicle data to protect consumers and automotive businesses, announced today that it has secured a new patent, further expanding its patent coverage for removing privacy information from a vehicle by using a user computing device. This patent grant marks the fourth patent that the U.S. Patent & Trademark Office has awarded to Privacy4Cars in the past three years and provides further evidence that the company is the leading innovator in the vehicle data privacy and security field.
Since its launch in 2018, Privacy4Cars has emerged as the industry standard across auto finance companies (including captives, national and regional banks, auto lenders, and credit unions), fleets and fleet management companies, and franchised and independent dealerships. Many of today’s top companies in the automotive space — including the three largest OEM’s captives — have adopted the data-deletion service powered by the Privacy4Cars platform, and a growing number of industry associations have begun speaking out about the need to clear personal information from cars, and tapping Privacy4Cars as a resource to educate members.
“Used vehicles are akin to large, unencrypted hard drives full of consumers’ sensitive Personal Information, including identifiers, geolocation, biometrics, and phone records,” said Andrea Amico, CEO and founder of Privacy4Cars. “This creates service, reputation, and increasingly major regulatory challenges, including the obligations companies face under the new Safeguards Rule (coming into effect on Dec. 9, 2022) and a host of existing and new state laws. At the same time, federal and local agencies are increasingly concerned about the personal information vehicles capture and store — which is driving more and more auto businesses to look for reliable solutions to simply and effectively delete data from vehicles while creating by design detailed compliance logs that prove their efforts,” he continued. “This new patent demonstrates Privacy4Cars’ commitment to meet the growing compliance and service needs of our partners. Privacy4Cars has established itself as the clear leader in the vehicle privacy space and companies increasingly recognize the superior efficiency, effectiveness, and compliance outcomes our proprietary solution offers, making Privacy4Cars the only obvious choice”.
Privacy4Cars’ newly awarded U.S. Patent No. 11,494,514 expands the scope of patent protection for the vehicle data privacy and security innovations of Privacy4Cars’ U.S. Patent No. 11,256,827, U.S. Patent No. 11,157,648 and U.S. Patent No. 11,113,415. The new patent covers the use of a user computing device to remove privacy information from a vehicle and to create feedback about the information removal activity, including deletion logs for use in legal compliance applications.
Privacy4Cars is currently available in the US, Canada, UK, EU, Middle East, India, and Australia, and plans to further expand its geographical reach to address the growing number of countries that have comprehensive privacy and data security laws. Privacy4Cars is available to consumers as a free-to-download app, and to businesses as a subscription service. Businesses can use Privacy4Cars’ stand-alone app or choose to integrate Privacy4Cars’ Software Development Kit to easily embed its patented data deletion solution as a feature inside their own apps.
For more information about Privacy4Cars, please visit: https://privacy4cars.com.ABOUT PRIVACY4CARS
Privacy4Cars is the first and only technology company focused on identifying and resolving data privacy issues across the automotive ecosystem. Our mission, Driving Privacy, means offering a suite of services to expand protections for individuals and companies alike, by focusing on privacy, safety, security, and compliance. Privacy4Cars’ patented solution helps users quickly and confidently clear vehicle users’ personal information (phone numbers, call logs, location history, garage door codes, and more) while building compliance records. For more information, please visit: https://privacy4cars.com/
Data protection is challenging for many businesses because the United States does not currently have a national privacy law — like the EU’s GDPR — that explicitly outlines the means for protection. Lacking a federal referendum, several states have signed comprehensive data privacy measures into law. The California Privacy Rights Act (CPRA) will replace the state’s current privacy law and take effect on January 1, 2023, as will the Virginia Consumer Data Protection Act (VCDPA). The Colorado Privacy Act (CPA) will commence on July 1, 2023, while the Utah Consumer Privacy Act (UCPA) begins on December 31, 2023.
For companies doing business in California, Virginia, Colorado and Utah* — or any combination of the four — it is essential for them to understand the nuances of the laws to ensure they are meeting protection requirements and maintaining compliance at all times.
Understanding how data privacy laws intersect is challenging
While the spirit of these four states’ data privacy laws is to achieve more comprehensive data protection, there are important nuances organizations must sort out to ensure compliance. For example, Utah does not require covered businesses to conduct data protection assessments — audits of how a company protects data to determine potential risks. Virginia, California and Colorado do require assessments but vary in the reasons why a company may have to take one.
Virginia requires companies to undergo data protection assessments to process personal data for advertising, sale of personal data, processing sensitive data, or processing consumer profiling purposes. The VCDPA also mandates an assessment for “processing activities involving personal data that present a heightened risk of harm to consumers.” However, the law does not explicitly define what it considers to be “heightened risk.” Colorado requires assessments like Virginia, but excludes profiling as a reason for such assessments.
Similarly, the CPRA requires annual data protection assessments for activities that pose significant risks to consumers but does not outline what constitutes “significant” risks. That definition will be made through a rule-making process via the California Privacy Protection Agency (CPPA).
The state laws also have variances related to whether a data protection assessment required by one law is transferable to another. For example, let’s say an organization must adhere to VCDPA and another state privacy law. If that business undergoes a data protection assessment with similar or more stringent requirements, VCDPA will recognize the other assessment as satisfying their requirements. However, businesses under the CPA do not have that luxury — Colorado only recognizes its assessment requirements to meet compliance.
Another area where the laws differ is how each defines sensitive data. The CPRA’s definition is extensive and includes a subset called sensitive personal information. The VCDPA and CPA are more similar and have fewer sensitive data categories. However, their approaches to sensitive data are not identical. For example, the CPA views information about a consumer’s sex life and mental and physical health conditions as sensitive data, whereas VCDPA does not. Conversely, Virginia considers a consumer’s geolocation information sensitive data, while Colorado does not. A business that must adhere to each law will have to determine what data is deemed sensitive for each state in which it operates.
There are also variances in the four privacy laws related to rule-making. In Colorado and Utah, rule-making will be at the discretion of the attorney general. Virginia will form a board consisting of government representatives, business people and privacy experts to address rule-making. California will engage in rule-making through the CPPA.
The aforementioned represents just some variances between the four laws — there are more. What is clear is that maintaining compliance with multiple laws will be challenging for most organizations, but there are clear measures companies can take to cut through the complexity.
Overcoming ambiguity through proactive data privacy protection
Without a national privacy law to serve as a baseline for data protection expectations, it is important for organizations that operate under multiple state privacy laws to take the appropriate steps to ensure data is secure regardless of regulations. Here are five tips.
Partner with compliance and legal experts
It is critical to have someone on staff or to serve as a consultant who understands privacy laws and can guide an organization through the process. In addition to compliance expertise, legal advice will be a must to help navigate every aspect of the new policies.
Identify data risk
From the moment a business creates or receives data from an outside source, organizations must first determine its risk based on the level of sensitivity. The initial determination lays the groundwork for the means by which organizations protect data. As a general rule, the more sensitive the data, the more stringent the protection methods should be.
Create policies for data protection
Every organization should have clear and enforceable policies for how it will protect data. Those policies are based on various factors, including regulatory mandates. However, policies should attempt to protect data in a manner that exceeds the compliance mandates, as regulations are often amended to require more stringent protection. Doing so allows organizations to maintain compliance and stay ahead of the curve.
Integrate data protection in the analytics pipeline
The data analytics pipeline is being built in the cloud, where raw data is converted into usable, highly valuable business insight. For compliance reasons, businesses must protect data throughout its lifecycle in the pipeline. This implies that sensitive data must be transformed as soon as it enters the pipeline and then stays in a de-identified state. The data analytics pipeline is a target for cybercriminals because, traditionally, data can only be processed as it moves downstream in the clear. Employing best-in-class protection methods — such as data masking, tokenization and encryption — is integral to securing data as it enters the pipeline and preventing exposure that can put organizations out of compliance or worse.
Implement privacy-enhanced computation
Organizations extract tremendous value from data by processing it with state-of-the-art analytics tools readily available in the cloud. Privacy-enhancing computation (PEC) techniques allow that data to be processed without exposing it in the clear. This enables advanced-use cases where data processors can pool data from multiple sources to gain deeper insights.
The adage, “An ounce of prevention is worth a pound of cure,” is undoubtedly valid for data protection — especially when protection is tied to maintaining compliance. For organizations that fall under any upcoming data privacy laws, the key to compliance is creating an environment where data protection methods are more stringent than required by law. Any work done now to manage the complexity of compliance will only benefit an organization in the long term.
*Since writing this article, Connecticut became the fifth state to pass a consumer data privacy law.
Earlier this year, the White House announced that it is working with the European Union on a Trans-Atlantic Data Privacy Framework. According to a White House statement, this framework will “reestablish an important legal mechanism for transfers of EU personal data to the United States. The United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”
This is encouraging news. As The National Law Review pointed out, the EU had concerns about the protection of their citizens’ data from U.S. government surveillance. But it may also be the push needed to advance greater data privacy protections in America.
“The joint statement references the U.S. putting in place ‘new safeguards’ to ensure that intelligence activities are ‘necessary and proportionate’, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available,” said Stephen Bailey of NCC Group in an email comment.
Data Privacy and AppSec
The world runs on apps, so it is necessary to look at how the Trans-Atlantic Data Privacy Framework will impact app development and app security.
“For application developers, the single biggest challenge to complying with increasingly rigorous data protection frameworks is getting control of their data, particularly sensitive and personally identifiable information,” explained Chris McLellan, director of operations at the nonprofit Data Collaboration Alliance.
Today, every new app, whether bought or built, traps data in a silo, which can only be connected through the exchange of copies or point-to-point data integration.
“These copies make it incredibly difficult—and in some cases, even impossible—to support GDPR outcomes like ubiquitous data access controls, portability, custodianship, deletion (the right to be forgotten) and precision auditability: Things that could potentially, although they’re unlikely to, be included in the post-Privacy Shield framework. But they are definitely looming on the horizon both internationally and domestically, for example, in California and Utah,” said McLellan.
As data privacy frameworks become more common and we begin to see more joint efforts internationally, organizations have to think about how they share and store data in the future, taking compliance requirements into greater consideration.
Organizations need to get more serious about minimizing their use of data and start implementing strategies that introduce real control to the data they manage, McLellan says. They should be exploring ways now to eliminate data silos and copies that have resulted in rampant data proliferation.
No Quick Fixes
But, as McLellan pointed out, there are no quick fixes. Unwinding years of “an app for everything and a database for every app” mantra will be difficult, and McLellan believes this is best approached in two stages.
Stage One: Immediately treat the symptoms of data proliferation by evaluating and adopting privacy-enhancing technologies that help organizations anonymize and encrypt data, and better manage consent. “They should also investigate the potential to adopt first-party and zero-party data collection practices that redirect customer and other sensitive data away from the third-party apps (e.g. Google Analytics), over which they have no control,” McLellan explained. “Organizations should also adopt processes and workflows that help them establish ‘purpose-based’ data access requests.”
Stage Two: Organizations should explore ways to address the root causes of data proliferation. Everyone within the organization’s technology teams—CIO, CDO, application development, data and IT teams—should familiarize themselves with emerging frameworks like zero-copy integration, a framework that is on track to become a national standard in Canada.
“It’s the evolution of privacy-by-design and signals the beginning of the end for application-specific data silos and copy-based data integration. Such frameworks are made possible by new categories of technology, including data fabrics, dataware and blockchain that support ‘zero copy’ digital innovation. Many leading organizations, particularly in finance and health care, are already ahead of the curve in adopting this approach,” said McLellan.
Data protection regulations at home and abroad reflect a burgeoning global trend toward citizens and consumers gaining greater control and ownership of data as its rightful owner.
“These regulatory shifts,” said McLellan, “will need to be met by an equally significant shift in how U.S. businesses manage data and build new applications if there’s any hope to comply with new laws as they’re passed.”
President Joe Biden on Tuesday signed into law a $1.5 million government funding bill that includes legislation mandating critical infrastructure owners report if their organization has been hacked or made a ransomware payment.
Biden signed the legislation during a White House ceremony that was attended by administration officials and top Democratic lawmakers, including including House Speaker Nancy Pelosi (Calif.), Senate Majority Leader Chuck Schumer (N.Y.).
The Strengthening American Cybersecurity Act — which was attached to the spending deal that keeps the federal government open until September — requires that critical infrastructure operators alert the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization made a ransomware payment. It also grants CISA the power to subpoena entities that don’t report a cyber incident or ransomware payment.
CISA will have up to two years to publish a notice in the Federal Register on proposed rulemaking to implement the reporting effort, though it may move faster due to heightened concerns about Russian cyberattacks bleeding out of Moscow’s invasion of Ukraine.
“This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in America is reporting cyber-attacks and ransomware payments to the federal government,” Senate Homeland Security Committee Chair Gary Peters (D-Mich.), who authored and championed the legislation along with Sen. Rob Portman (R-Ohio), said in a statement.
Portman, the panel’s top Republican said the legislation will “give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks.”
Are you planning a career as a DPO (data protection officer)?
Are you planning a career as a DPO (data protection officer)? Our unique combined GDPR (General Data Protection Regulation) and DPO training course is now available in a low-cost self-paced online format.
Work at your own pace with self-paced online training – a more affordable, flexible and less disruptive way to study. Designed by GDPR experts, this course features pre-recorded video modules supported by a learner guide and interactive exercises and tests.
The course includes essential elements of our GDPR / Data Privacy Roles Learning Path, which provides a unique guide to which training courses and qualifications will help you enhance your GDPR or DPO career.
Google announced Privacy Sandbox on Android to limit user data sharing and prevent the use of cross-app identifiers. The company states that the Privacy Sandbox technologies are still in development.
“Privacy Sandbox on Android will strengthen privacy, while providing tools app developers need to support and grow their businesses. It will introduce new solutions that operate without cross-app identifiers – including Advertising ID – and limit data sharing with third parties.” reads the announcement.
Google is also committed tp fighting and reducing covert data collection.
The goals of the Privacy Sandbox are:
Build new technology to keep your information private
Enable publishers and developers to keep online content free
Collaborate with the industry to build new internet privacy standards
Google will continue to support existing ads platform features for at least two years. The IT giant is inviting developers to review the proposed solution and provide their feedback through the Android developer portal.
“Starting today, developers can review our initial design proposals and share feedback on the Android developer site. We plan to release developer previews over the course of the year, with a beta release by the end of the year. We’ll provide regular updates on designs and timelines, and you can also sign up to receive updates.” concludes the announcement. “We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.”
Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
In late March 2021, Representative Susan DelBene (D-WA 01) introduced legislation to the 116th Congress to protect consumer privacy and put control of consumers’ data in their own hands.
DelBene noted that states are surging ahead of the federal government in creating privacy laws, each with their own flavor and each serving the needs of a particular constituency/demographic. DelBene argued that having a federal policy will stem consumer confusion and put the United States back into the conversation on global privacy policies. The EU, for example, is pushing their General Data Protection Regulation (GDPR) as the global standard.
Companies produce their privacy policies in “plain English” within 90 days of the bill’s passage.
Users must “opt in” before companies my use their sensitive PII. In doing so, the user is made aware of how the information may be used and more importantly how it is not to be used. Companies will have 90 days to put in place this capability once the legislation becomes law.
Companies must be transparent when it comes to sharing user information – who, what, where, how and why.
The Federal Trade Commission (FTC) will be given the authority to fine bad actors on their first offense and empower state attorneys general to pursue offenders. If the FTC doesn’t act on a complaint within 60 days, the state attorney general may pursue legal remedies.
Trust, yet verify by requiring, every two years, a “neutral” privacy audit to ensure companies (with information from 250,000 or more people) are handling PII in accordance with the provisions of the Act.
The bill will provide to the FTC 50 additional full-time employees, of which 15 must be technical experts (not further defined), and initial funding for the program will be $35 million.
Lesson 1: Take stock of identities and lock them down
When it comes to data protection, security and compliance, organizations must keep the potential technology risk within acceptable limits, which means mobilizing efforts to identify data lakes and applications where personally identifiable information (PII) and other sensitive information is stored. Organizations should then use digital transformation as the catalyst to lock those applications down with the proper controls to prevent the unauthorized use of data and use analytics to gain visibility into the management-sensitive data.
The key to any data privacy compliance is proper data protection because under these laws, consumers retain the right to deny and revoke the collection of their data. The first step in any plan around compliance is to have a basic understanding of whose data you have, where it is, and who has access to it. This principle is the foundation of identity management and governance.
Using an opt-in approach will help curb the excesses of Big Tech.
Americans have become inured to the relentless collection of their personal information online. Imagine, for example, if getting your suit pressed at the dry cleaner’s automatically and permanently signed you up to have scores of inferences about you — measurements, gender, race, language, fabric preferences, credit card type — shared with retailers, cleaning product advertisers and hundreds of other dry cleaners, who themselves had arrangements to share that data with others. It might give you pause.
But that’s the daily reality on the internet. Every minute a person spends online helps countless companies build a thicker dossier about that person.
Despite what corporations profess, much of this personal data is used not to improve products themselves, but to make those products more attractive to advertisers.
One straightforward solution is to let people opt in to data collection on apps and websites. Today, with few exceptions, loads of personal data are collected automatically by default unless consumers take action to opt out of the practice — which, in most cases, requires dropping the service entirely.
Virginia recently had the opportunity to extend firmer data protection rights to its residents. But the state’s Consumer Data Protection Act, signed into law this month, is a business-friendly package, supported by Amazon and Microsoft, that puts the onus on consumers to opt out of most data collection, except for the most sensitive personal details. Washington State lawmakers are advancing similar legislation.
Looking for affordable ways to keep your data secure? Sometimes the simplest solutions are the best – and nothing beats the simplicity of a book.
With books, you get expert advice at your fingertips. You can study whenever is convenient and the information is always there for you to reference.
So, which books are right for you? That depends on what you want to know. Fortunately, IT Governance has a selection of titles covering everything you need to know, including the GDPR, Cloud security and the CCPA.
Let’s take a look at some of our most popular titles. Below are the four best books on Data Privacy.
This bestselling guide is the ideal companion for those trying to understand how the GDPR affects their organisation.
It explains the Regulation’s requirements in terms you can understand and helps you understand data subjects’ rights and the way consent requests have changed.
You’ll also gain a deeper understanding of the GDPR’s technical requirements, such as the appointment of a DPO (data protection officer), international data transfers and the obligations of data controllers and processors.
Written by Alan Calder, IT Governance’s founder and executive chairman, this book is an essential introduction to the GDPR.
It’s ideal for anybody who is new to the Regulation or needs a refresher, explaining the legal terminology and compliance in simple terms.
It also provides invaluable advice on how you can meet the GDPR’s requirements.
This includes broad measures that your organisation should implement as well as tips on things you should and shouldn’t do when processing personal data.
If your organisation collects California residents’ personal data, you must comply with the CCPA (California Consumer Privacy Act).
The law, which took effect on 1 January 2020, applies to certain companies depending on their annual turnover, how much personal data they collect and whether they sell the information for profit.
Written by data protection expert and consultant Preston Bukaty, this handbook provides a comprehensive explanation of the law’s scope and how to achieve compliance.
OneLogin’s recent research into remote working practices shows it is proving to be fertile ground for hackers – Here’s how to stay safe
How to stay secure
Another key step to keep your business safe from breaches is to ensure that your employees are following security best practices. To celebrate Data Privacy Day, we’ve provided some practical steps to do this. For example:
Don’t share your work computer with friends, housemates or family members: 26% of respondents admitted doing this
Don’t download personal applications onto a company device: 23% of respondents admitted doing this
Don’t work on a public wifi that is not protected: 22% of respondents admitted doing this
Don’t share your corporate password with others: 12% of respondents admitted doing this
Don’t leave your corporate devices unattended in a public space:10% of respondents admitted doing this
Do encourage your company to engage with multi-factor authentication (MFA), which gives you multiple layers of protection: Only 36% of respondents suggested that MFA had been implemented
The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).
Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.
Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:
Demonstrate an understanding of privacy and cybersecurity law concepts, and basis of national/state jurisdiction
Define terms used in the CCPA/CPRA and contrast to the GDPR
Articulate the rights of consumers, and determine the duties of a business
Examine the CPRA’s security requirements and prepare relevant responses
Use the CPRA to determine what action(s) should be taken in the event of a breach
Demonstrate an understanding of the CPRA’s penalty provisions
Court documents related to a recent gun-trafficking case in New York and obtained by Forbes revealed that the FBI may have a tool to access private Signal messages.
The documents revealed that encrypted messages can be intercepted from iPhone devices when they are in “partial AFU (after first unlock)” mode.
“The clues came via Seamus Hughes at the Program on Extremism at the George Washington University in court documentscontaining screenshots of Signal messages between men accused, in 2020, of running a gun trafficking operation in New York.” states Forbes. “There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off.”
Here are our five key data privacy trends for this year.
1. There will be more public awareness of privacy rights
This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.
All of this information is helping consumers become more aware of their rights.
Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.
The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.
There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.
Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.
2. Brexit will continue to cause headaches
Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) – which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.
For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.
Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.
3. We shouldn’t expect an adequacy decision imminently
Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.
For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.
But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.
Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.
In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.
The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.
4. GDPR enforcement will be more consistent
In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.
In some cases, the fines were miniscule, but in others the penalties were large.
It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.
We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.
Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.
5. Cookie laws will come under greater scrutiny
From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.
So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.
Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.
Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.
Meet your data privacy requirements with IT Governance
One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.
One of the new features in iOS 14 is the ability to change the default email or browser app to a third-party alternative such as Chrome, Edge, or Outlook. A bug in the first public release of iOS 14, however, causes your default browser or mail app setting to reset to Mail or Safari when […]
In the version of iOS 14 released to the public this week, there is a massive caveat to the new default browser and settings. If you reboot your iPhone or iPad, the default app setting will reset to Apple’s first-party Mail and Safari applications.
What this means is that if you set Chrome as the default browser, but then your iPhone dies or you need to reboot it, Safari will once again become the default browser app until you go back into the Settings app and make the change again. The same applies to email apps such as Microsoft Outlook and Spark as well.
This is almost certainly some sort of bug on Apple’s side, because it is affecting email and browser apps from multiple companies including Google, Microsoft, and Readdle. On Twitter, a Google Chrome engineer has acknowledged the problem, though the ball is likely in Apple’s court to roll out some sort of fix — unless this is bizarrely the intended behavior.
Privacy by design is a voluntary approach to projects that promotes privacy and data protection compliance, and helps you comply with the Data Protection Act 1998 (DPA).
The Information Commissioner’s Office (ICO) encourages organisations to seriously consider privacy and data protection throughout a project lifecycle, including when:
Building new IT systems to store or access personal data;
Needing to comply to regulatory or contractual requirements;
Developing internal policies or strategies with privacy implications;
Collaborating with an external party that involves data sharing; or
Existing data is used for new purposes.
Privacy by design and the GDPR
The upcoming EU General Data Protection Regulation (GDPR) will supersede the DPA. Article 25 of the GDPR, “[d]ata protection by design and default”, requires you to “implement appropriate technical and organisational measures” throughout your data processing project. As such, data must be considered at the design stage of any project, during which you must process and store as little data as possible, for as short a time as possible.
Under the GDPR, you are required to document your data processing activities. One way to do this is to map your organisation’s data flows. This method also enables you to assess the risks in your data processing activities and identify where controls are required, for example, assessing privacy and data security risks.
Organisations need to be aware of the personal data that they are processing, and that this data is being processed in compliance with the law. Organisations can often process significantly more data than they realise, so it is vital that they perform mapping exercises to keep track of them all.
Data flow mapping may seem daunting, but you can simplify the process with the Data Flow Mapping Tool.
The tool gives you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.
