Life with GDPR

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we discuss the recently announced proposed fine by the UK Data Protection Regulator against British Airways (BA) after its data breach. She intends to fine the airline £183.39 million (approximately $230MM).

Some of the highlights in this episode include:This proposed fine represents the largest GDPR fine in the UK.As the fine is now open to comment by BA and other national data protection regulators, the amount of the final fine may change.The BA CEO comes out swinging against this fine.What was the role of the ICO as ‘lead regulator’?Will BA’s tone-deaf posturing hurt or help it with the final penalty?What did BA know and when did they know (yes that is the famous Watergate question) will be a critical analysis.What remedial measures did BA engage in after it became aware of the breach?What are the lessons to be learned by the data privacy officer?For more information on Cordery Compliance, go their website here.

For additional reading see the Cordery Compliance article, “UK Data Protection Regulator Announces Intention to Fine BA after Data Breach”.

Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. This episode is the first of a two-part series where  Jonathan Armstrong and myself consider some of the highlights from the first year of GDPR implementation and enforcement. In this Part I we considered some of the enforcement numbers. In this Part II, we discuss some of the substantive issues. Some of the highlights in this episode include: Security issues-multiple regulators for large breaches and questions of whether TOMs are adequate. 6 Principles of GDPR-highest is around transparency.Data Subject Rights are seen as the biggest corporate pain points.DPIAs have been embraced by many companies and are seen by regulators as the backbone of a corporate compliance program around data security/data privacy. Industry sweeps are beginning to occur. Mixed quality of legal advice is hurting many companies in their compliance efforts. Some significant cases are headed to trial and then appeal. GDPR is here to stay. For more information on Cordery Compliance, go their website here.For additional reading see the Cordery Compliance article, “GDPR One Year On”.Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. This episode is the first of a two-part series where  Jonathan Armstrong and myself consider some of the highlights from the first year of GDPR implementation and enforcement. In this Part I of this two-part series we consider some of the enforcement numbers. In Part II, we will consider some of the substantive issues. Some of the highlights in this episode include: EDPB says just over 150,000 complaints files EU under GDPR. Robust enforcement by both regulators and private bodies/citizens.UK leads with the largest number of complaints filed, followed by Germany then France.Around 950 complaints have reach courts. Italy is the country which has seen the largest number of court cases. Several countries are increasing inspections which could lead to enforcement actions.  For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, I visit with Jonathan Armstrong about a recent enforcement action against Bounty UK Ltd. by the UK data protection regulator. Some of the issues and highlights are: The enforcement action came out of the Facebook/Cambridge Analytica investigation. Déjà vu all over again?Why did the company receive 80% of the highest possible fine?How does this case mimic the Emma’s Diary enforcement action?What are the lessons to be learned? For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, I visit with Jonathan Armstrong a topic which does not seem to garner the attention that it deserves in data protection; that being passwords. Some of the issues and highlights are: What is two-factor authentication? How, when and where should your use it?What are the most common passwords still in use?Why are passwords one of the most basic forms of data security protection?What are the lessons to be learned? For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, I visit with Jonathan Armstrong to consider the recent regulatory fine leveled against London Borough of Newham £145,000 for a data breach involving the data of more than 200 people. It presents a situation where a data breach was literally a matter of life and death. Some of the issues and highlights are: What was the data and why was it so sensitive? How was the data leaked?How did the authorities determine the data breach?What as the basis of the Information Commissioner’s Office (ICO) fine?What are the lessons to be learned? For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, I visit with Jonathan Armstrong consider the increasing business risk around phishing. There have recently been some multi-million-dollar losses around phishing so you need to be prepared. Some of the issues and highlights are: What is phishing? The largest number of data breach have come through phishing. Why has it become such a business risk?What are the requirements a company take against phishing under GDPR?What are the three key concepts in data protection?Modern phishing attacks are very sophisticated.What are some of the most intricate frauds seen in this area? For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, I visit with Jonathan Armstrong consider some of his predictions for the rest of 2019. Even if these predictions do not become fully formed, you should consider them in light of your data privacy/data protection policies and protocols. Some of the issues and highlights are: Drones-what are the GDPR implications. The number of data breach notifications under GDPR. Through the end of January there were over 42,000 in the EU alone.Will AI and self-driving cars follow the rules on safe driving standards, or will there be new rules for the road? What will be the effects of data, big data and AI in elections going forward? What will be the fallout from Cambridge Analytica going forward?How will businesses respond to the industrialization of internet crime? What happens when there is a Zero-Day exploit?Cybersecurity insurance. Will standard insurance rules and regulations apply, or will new policy language be drafted for such coverage? For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, I visit with Jonathan Armstrong on the recent UK court of appeals decision in the Morrisons’ case. This decision stretched the limits of vicarious liability for a corporation to the absolute breaking point and has significant implications in the broader data privacy-data protection space. Jonathan and I go full lawyer-geek to discuss the legal theories, underlying facts and what it all may mean. Some of the issues and highlights are: The case is instructive for how to do (or perhaps not do) regular business under GDPR on data privacy. If a file is too large to email, it presents a higher data protection risk and must be so managed.Should you do risk assessments on individual employees around data privacy-data protection? How can vicarious liability exist for ultra vires conduct by an employee?How do you properly scope an investigation to ascertain an individual’s mindset?A company must require its vendors to exercise appropriate data protection and control. Will Morrisons apply to the UK Supreme Court for relief? For a more detailed reading, see the Cordery Client alert, here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode I visit with Jonathan Armstrong on the recent fine levied by British regulators against the insolvent institution Cambridge Analytica for violations of the British privacy law which was in place before GDPR went live. The case involved Cambridge Analytica denying aggrieved parties subject access requests and associated rights. Some of the issues and highlights are: The case demonstrates how not to interact with regulators as Cambridge Analytica’s pleadings were unnecessarily demeaning. The settlement with the company left open the possibility of criminal charges against individuals.How wide is the jurisdiction of the ICO? This case tested the limits. Always remember data subjects have rights.What are the key takeaways on the case?A vigorous defense of a civil action can lead to higher regulatory fines. What does a corporate regime change mean for regulatory enforcement? For a more detailed reading, see the Cordery Client alert, here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices