As 2019 draws to a close, it’s time to take a look at what has happened with the GDPR over the past twelve months.

On May 25th this year, we celebrated the first anniversary of the implementation of the regulation.

At the time, some organizations were still struggling to both understand and comply with GDPR and its complexities. The primary objective of the GDPR is to give citizens back control of their personal data. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.

There are strict requirements on the way businesses collect, store and manage personal data. GDPR provides citizens of the EU with greater control over their personal data and assures that their information is being securely protected across Europe, regardless of whether the data processing takes place in the EU or not. Personal data can be a name, email, address, date of birth, personal interests, unique identifiers, digital footprints and more.

ICO

In the UK, the Information Commissioners Office (ICO) are the governing body that oversees GDPR. They offer advice and guidance, promote good practice, carry out audits and advisory visits, consider complaints, monitor compliance and take enforcement action where appropriate.

GDPR replaced the 1995 Data Protection Directive and aims to strengthen and unify data protection for all individuals within the European Union.
It is the biggest overhaul of personal data privacy rules since the launch of the internet.

GDPR compliance

Businesses need look closely at their data and how they handle it. There are many things a company must do in order to be compliant with GDPR.

Know your data. You need to demonstrate an understanding of the types of personal data (for example name, address, email, bank details, photos, IP addresses) and sensitive (or special category) data (for example health details or religious views) you hold, where they’re coming from, where they’re going and how you’re using that data.

Identify whether you’re relying on consent to process personal data. If you are (for example, as part of your marketing), these activities are more difficult under the GDPR because the consent needs to be clear, specific and explicit. For this reason, you should avoid relying on consent unless necessary.

Look hard at your security measures and policies. You need to update these to be GDPR-compliant, and if you don’t currently have any, get them in place. Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach.

Access requests have one month to be dealt with. Under GDPR, citizens have the right to access all their personal data, rectify anything that’s inaccurate and object to processing in certain circumstances, or completely erase all their personal data that you may hold. Each request carries a timeframe and deadline of one month (which can only be extended in mitigating circumstances), from the original date of request.

Employees need to undergo training and serious breaches need to be reported within 72 hours. Ensure your employees understand what constitutes a personal data breach and build processes to pick up any red flags.

It’s also important that everybody involved in your business is aware of a need to report any mistakes to the Data Protection Officer (DPO) or the person or team responsible for data protection compliance, as this is the most common cause of a data breach.

Conduct due diligence on your supply chain. You should ensure that all suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties. You also need to ensure you have the right contract terms in place with suppliers (which puts important obligations on them, such as the need to notify you promptly if they have a data breach.

Create fair processing notices. Under GDPR, you’re required to describe to individuals what you’re doing with their personal data.

Decide whether you need to employ a Data Protection Officer (DPO). Most small businesses will be exempt. However, if your company’s core activities involve ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of ‘special category, you must be advised and supported by a Data Protection Officer (DPO).

Fines

Worryingly, 58% of surveyed businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data as required by the GDPR within the one-month time limit set out in the regulation, according to updated research from Talend.

With an increasing use of data and new technologies – facial recognition and AI – by the public sector to improve the citizen experience, the need for more integrated data governance is a must-have for 2020 and beyond.

In the most serious cases, organisations can be fined up to €20m or 4% of their worldwide annual revenue – whichever is larger.

But regulators are supposed to take into account whether the offending body co-operated with their inquiry, any past offences and whether the infringement was deliberate or a mistake, among other factors, when deciding the amount.

The most recent GDPR fine was earlier this month A German internet service provider faces a €9.6m ($10.6m; £8m) fine after being accused of failing to carry out tough enough customer ID checks.

Germany’s data protection watchdog said anyone who called 1&1 Telecom could get extensive personal information about someone else solely by giving their name and date of birth.

The BfDI (Federal Commissioner for Data Protection and Freedom of Information) acknowledged that 1&1 Telecom had been “transparent and very co-operative” and had also taken steps to improve its practices.

But the watchdog said the sum was still justified on the basis that its entire customer base had been put at risk.

In October, the same regulator punished a German property company with a bigger €14.5m fine for holding on to people’s personal data for longer than was necessary.

Just last week, a London-based pharmacy has been fined £275,000 after it breached data protection laws by failing to safely store sensitive patient information.

Doorstep Dispensaree, based in Edgware, north London, stored approximately 500,000 documents containing care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions in its courtyard, according to the ICO.

Doorstep Dispensaree claimed the documents were securely stored because the courtyard was locked. However, the ICO did not accept this reasoning and said the pharmacy itself admitted that residents in the flats above the branch could access the area through a fire escape.

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects, and it falls short of what people expect,” ICO director of investigations Steve Eckersley said.

The ICO has given the pharmacy a deadline of January 17 to pay the fine.

Round-up

2019 is the year that GDPR got its teeth. Companies, including Google, British Airways and Marriott International, were handed record fines for intentional or negligent misuse of data.

If you thought the new law was a paper tiger, think again. Businesses that haven’t taken compliance seriously or aren’t sure whether their compliance efforts are sufficient would be wise to react accordingly.

This was the year that businesses needed to get their house in order and make sure that they had effective GDPR awareness training for all employees in place.

Cyber security continues to be important and vital that appropriate measures are taken to make sure businesses are protected.

What is certain, is that 2020 will be an interesting – and busy – year.

While things have gone a little quiet in the UK following the ICO’s notices of intent to fine British Airways and Marriott in the summer, European data protection authorities have been a little more active in recent weeks. A quick summary of some of the cases:

· Bulgaria – €2,600,000 fine – information security breach leading to 6 million records being made available

· Sweden – €18,630 – a school introduced the use of facial recognition technology for monitoring attendance without having conducted a Data Protection Impact Assessment (DPIA) and, as facial recognition constitutes biometric data, they could not find an applicable lawful basis (consent could not be “freely given” in this scenario).

· Germany – €195,407 fine – a company had not deleted the personal data relating to former customers who had not been active for a number of years. The company also continued to send unsolicited marketing messages even after receiving objections from the recipients.

· Austria – €50,000 fine (unconfirmed) – a controller working in the medical sector was fined for failing to appoint a statutory Data Protection Officer, relying on consent for use of personal data (when consent could not be “freely given”) and had not conducted any DPIAs, despite the sensitivity of the data they held.

A Comissão Nacional de Proteção de Dados (CNPD) decidiu deixar de aplicar total ou parcialmente 9 dos 67 artigos que compõem a Lei Nacional que executa o Regulamento Geral de Proteção de Dados.

Quanto à recusa de aplicação dos artigos em causa, a CNPD alega que «determinadas normas desta lei são manifestamente incompatíveis com o direito da União (Europeia), centrando, por ora, a sua atenção sobre aquelas disposições que, pela sua relevância e frequência de aplicação, suscitam a premência da adoção formal de tal entendimento».

É com base no «primado do direito da União Europeia», que a CNPD informa ainda que vai deixar de aplicar pontos e alíneas dos nove artigos «em casos futuros que venha a apreciar» durante as fiscalizações, notificações ou autorizações que lhe vão sendo solicitadas.

A CNPD explica que a desaplicação dos nove artigos tem por consequência «a aplicação direta das normas» do Regulamento Europeu que se arriscavam a ser «manifestamente restringidas, contrariadas ou comprometidas no seu efeito útil».

https://lnkd.in/gDxt4UJ

The EU General Data Protection Regulation requires certain organizations to appoint a data protection officer. Even where such an appointment is not mandatory, it is still advisable for organizations processing personal data to appoint a DPO. The European Data Protection Board, formerly the Article 29 Working Party, has said DPOs are the cornerstone for organizations in terms of GDPR compliance. The DPO must be involved in all issues concerning the protection of personal data in an organization at the earliest opportunity. DPOs may be internal or external. Due to the critical role that he or she plays, the GDPR requires that the DPO is allowed to exercise his or her functions independently. So, what exactly is the role of a DPO, and why is it necessary that they be independent?

Artigo completo em: https://iapp.org/news/a/the-dpo-must-be-independent-but-how/

O regresso às aulas também marca o registo de dados pessoais em associações, clubes desportivos, documentos administrativos tão diversos e variados. E você protege os seus dados pessoais? Sabe que os dados em papel que fornece para as escolas, associações, administrações publicas também são fontes fantásticas de dados pessoais para os hackers?

Proteja os seus dados pessoais – registos escolares, associações, … são recolhidos como folhas mortas caídas das árvores no outono! Todos esses formulários requerem dados pessoais e, muitas vezes, sensíveis: nome, apelido, endereço, telefone (móvel / fixo), email registos de saúde, local para transporte escolar, IBAN, atestados médicos, …

Cuide dos seus dados e dos seus!

“compliance with the law is not enough.”

“What then is the relationship of ethics and the law? From my perspective, ethics come before, during and after the law. It informs how laws are drafted, interpreted and revised. It fills the gaps where the law appears to be silent,”
“Ethics is the basis for challenging laws. Remember that slavery was legal. Child labour and censorship are still legal in many jurisdictions”.
by Giovanni Buttarelli

DIGITAL ETHICS AND LEGAL DATA PROTECTION COMPLIANCE?

The GDPR is an important step forward but digital technologies will continue to evolve and laws will quickly become out of date. The GDPR focuses on individual rights. It does not consider the broader societal implications of new digital technologies. Ethical thinking and deliberation come before, during, and after the law. Ethics are the foundations of our legal systems and ensure that they are updated when necessary. Debating ethics and discussing what is right and wrong is the process of societal self-reflection and self-evaluation on which we, as members of society, establish values and norms and enact binding, enforceable rules. This is where the difference between law and ethics lies. While laws are part of a society’s ethics, their differentiating characteristic is that they are enforceable, that there is a public, official mechanism that holds you to account and sanctions you if you violate them. History has shown that ethical notions of good and bad change. This means that they must continuously be re-debated and re-defined. Whenever technological innovation came with risks and dangers, ethics have been key in addressing and preventing them. Ethics can also help us now to find a path into a digital future that re-affirms and protects our long-standing culture of values and rights

Professor Norman Sadeh said at our conference: “Ethics is not a destination; it is a journey.”

Europe instead should be innovating in ways that will enable businesses to earn the trust of people again. A first step would be to reconsider what we mean by consent. Consent has to be specific, informed and freely given.If what you are doing with data is clearly unobjectionable –maybe consent is not the appropriate legal basis. You should be confident that you have risk mitigation measures in place, that you are considering the best interests of the individual data subject, therefore aim to rely on the legitimate interests legal grounds. My prediction is that as the GDPR beds in, and as the rest of the world increasingly emulates Europe’s standards, we will see some new business models emerge –where data protection by design is visibly in play. It will be up to regulators and supervisory authorities to support such innovation.

by Giovanni Buttarelli

The Department of Employment Affairs and Social Protection in Ireland faces the prospect of becoming the first public body to be fined under data protection laws.
Last year the DPC launched an investigation into the department, which holds the largest data set on the Irish population, after senior officials changed an online declaration that said it collected “biometric data”, reported the Times.

Unidades de saúde recusaram tratar doentes que não autorizaram o tratamento dos seus dados pessoais, o que a Comissão Nacional de Proteção de Dados (CNPD) considerou um erro que contraria o regulamento em vigor.

“A CNPD entende que a exigência de consentimento do titular dos dados para o tratamento de dados pessoais necessários à prestação de cuidados de saúde assenta num erro quanto ao fundamento da ilicitude [ilegalidade] do tratamento dos dados e, portanto, contradiz o disposto no Regulamento Geral da Proteção de Dados (RGPD)”, afirma a comissão num parecer de sexta-feira, disponível na sua página de internet.

A CNPD respondeu, assim, à Entidade Reguladora da Saúde (ERS), que lhe pediu a emissão de pareceres sobre processos de inquérito abertos pela ERS, no ano passado, por causa da recusa de prestação de cuidados de saúde a titulares de dados que não assinaram declaração de autorização de tratamento dos seus dados pessoais.

https://lnkd.in/gAJ7ZDJ

Depois da ratificação na quarta feira, foi hoje aprovada a proposta de lei que regula a aplicação do Regulamento Geral de Proteção de Dados (RGPD) em Portugal, que estava em discussão há mais de um ano. Sendo ainda necessária a promulgação pelo Presidente da República e a publicação em Diário da República.

Apesar de se tratar de um Regulamento, e por isso ter aplicação direta na lei nacional dos Estados-membros da UE, o RGPD (ou GDPR na versão em inglês) deixava alguma margem de aplicação que precisava de definição, nomeadamente com a indicação da autoridade de controle nacional, a idade a partir da qual os jovens são considerados como responsáveis pelo consentimento para o tratamento de dados e possíveis alterações às sanções e excepções.

The General Data Protection Regulation (GDPR) took the EU by storm, and everyone scrambled to maintain the highest standard of data privacy known to date.

So what has the GDPR actually achieved in the past year?