What brands can learn from a year of GDPR in preparing for the California Consumer Privacy Act

May 2019 marks the one year anniversary of the implementation of the General Data Protection Regulation (​GDPR), the most substantial change in data privacy regulation in decades. While the GDPR has done significant good in raising awareness around individuals’ rights when it comes to data, the story of enforcement has been entirely different.

The surprising lack of large fines and the continued misuse of third party data, which many thought would cease to exist altogether, has been glaring this past year. However, this can still change with the implementation of new legislation, such as the anticipated ePrivacy component — the next element of the EU’s data protection regime that is anticipated to go into effect soon — and a major data privacy development coming to the U.S. in January 2020: the California Consumer Privacy Act (CCPA). In this post, I’ll discuss lessons learned from the GDPR after one year and tips for how to best prepare for the CCPA and other more stringent legislation that’s anticipated in the near future.

Full Article Here

GDPR compliance is paying off for the minority of businesses who make the grade

This is according to research published today by Capgemini Research Institute, which surveyed 1,100 senior executives from companies across the Netherlands, Germany, Norway, Sweden, France, Spain, Italy, India, the UK and the US.

It found that while only 28% of companies had successfully achieved GDPR compliance, 92% of those who were compliant reported having a competitive advantage as a result.

Full Article Here

PwC will have to work to rebuild trust after shock GDPR fine

The corporate world has gotten a shock of its recently when the data protection enforcement body of Greece has imposed a fine on one of the Big 4. PwC’s Greek holdings, “PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA”, has received a fine under Article 83 of the GDPR amounting to 150 000 EUR.

In addition, the Hellenic DPA has also imposed corrective measures on the organization to be complied with under the European Regulation.

Full Article

Tim Cook mourns the passing of ‘father of GDPR’ Giovanni Buttarelli

Apple CEO Tim Cook has written a piece for Italy’s most popular newspaper, mourning the passing of Europe’s head of data protection, Giovanni Buttarelli.

Buttarelli took the lead on the introduction of the world’s toughest privacy regulations, the General Data Protection Regulation (GDPR). GDPR requirements are so stringent that even Apple had to boost its privacy efforts in order to comply …

GDPR

The four key requirements of GDPR for companies processing personal data are:

  • There must be a specific, lawful reason to process the data
  • Personal data must be encrypted
  • You have a right to a copy of your data
  • You can ask for your data to be deleted

Apple had to take action on the third and fourth bullet points: It previously offered no easy way to access all the data the company held on you, and you could only ask for your Apple ID data to be disabled rather than deleted. You are now able to download a copy of all your data, and to choose between disabling and deleting your Apple ID data.

Apple committed to offering GDPR-standard privacy protections to its customers worldwide, and Cook has called for a federal privacy law in the US along the lines of Europe’s GDPR.

 

Full Article

“Learning The Lessons” – Why GDPR Compliance Matters

It is well over a year now since the EU General Data Protection Regulation (GDPR) came into effect. It was a defining moment in the history of data privacy. It shone a spotlight on data protection, helping to turn it into a top priority for organisations worldwide. It engendered stricter laws in California, New Zealand and Brazil and a range of other states and countries. 

According to the European Data Protection Board, regulators in 11 countries issued fines totalling €56 million for GDPR violations over the first year of GDPR. Recent months, however, have seen some particularly high-profile cases and heavy fines announced. In July, the UK watchdog, the Information Commissioner’s Office (ICO) issued notice of its intention to fine British Airways £183.39 million for GDPR infringements. The following day, the ICO reported that it intended to fine hotel chain, Marriott International $111.5 million for GDPR infringements relating to a 2018 cyber incident.

Full Article

GDPR privacy can be defeated using right of access requests

A British researcher has uncovered an ironic security hole in the EU’s General Data Protection Regulation (GDPR) – right of access requests.

Right of access, also called subject access, is the part of the GDPR regulation that allows individuals to ask organisations for a copy of any data held on them.

This makes sense because, as with any user privacy system, there must be a legally enforceable mechanism which allows people to check the accuracy and quantity of personal data.

Unfortunately, in what can charitably be described as a massive GDPR teething problem, Oxford University PhD student James Pavur has discovered that too many companies are handing out personal data when asked, without checking who’s asking for it.

Full Article

British Airways faces $230 million fine…

London (CNN Business)British Airways faces a record $230 million fine after a website failure compromised the personal details of roughly 500,000 customers.

It would be the largest penalty yet under a tough privacy rule known as the General Data Protection Regulation, which came into force last year in the European Union.

Full Article Here

LaLiga facing €250k fine for GDPR violations in app used to spy on users

Spanish soccer league LaLiga is facing a fine of €250,000 (approximately $283,000) for GDPR violations resulting from a convoluted wiretap in their smartphone app intended to curb piracy of soccer match broadcasts. The Spanish Agency for Data Protection (La Agencia de Protección de Datos, or AEPD) levied the fine this week due to the league’s violation of consent-related clauses in the GDPR, as LaLiga did not properly disclose the nature of the microphone usage, according to a report from Spanish newspaper ABC.

Link to Full Article

Europe’s sweeping privacy rule was supposed to change the internet, but so far it’s mostly created frustration for users, companies, and regulators – CNBC

By Kate Fazzini – The European Union’s General Data Protection Regulation was celebrated as a revolution in how internet privacy could be legislated. It was a reaction to long-term concerns in the EU about information collection by tech giants like FacebookAlphabet and Apple.

Known as GDPR, the regulation gave sweeping new powers to individuals in how they can control their data, including the right to demand that companies tell them how their data is used, and to ask corporations to destroy their data, a tenet of the law known as “the right to be forgotten.”

Full Article

Facebook’s new plan doesn’t protect your privacy, and neither does the FTC – CNN

By Sally Hubbard for CNN Business Perspectives – The company made $56 billion in 2018, in part by tracking people both on and off its platform and then selling targeted advertisements based on that surveillance. Yet when Facebook announced a shift to a “privacy-focused communications platform” in March and unveiled a redesign toward private messaging at its F8 developers conference on Tuesday, Facebook’s stock value did not even dip. How could that be, if surveillance is essential to Facebook’s business model?

Full Article