Life with GDPR

In this episode I visit with Jonathan Armstrong are back to discuss issues relating to data privacy, data protection and GDPR. Today, we consider the recent decision by the UK Supreme Court on the Morrisons case. Some of the highlights are:

1. What were the background facts of the case and the trial court ruling?
2. What did the UK Supreme Court rule?
3. Does the SCt ruling leave the door open for subsequent class actions?
4. What are the differences between primary liability and vicarious liability?
5. What steps should a company take in response to the Morrisons ruling?
6. What does all of this mean for US companies, trying to get data out of the UK and EU?

Check out the Cordery Compliance, client alert on the Morrisons decision, here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode of Life with GDPR, Jonathan Armstrong and Tom Fox consider the recently released UK Information Commissioner’s Office (ICO) Cathay Pacific Airways Limited fine of £500,000 for failing to protect the security of its customers’ personal data. This is a pre-GDPR case and the fine represents the maximum fine under the ICO’s pre-GDPR powers. The ICO took into particular account the fact that Cathay Pacific failed to follow its own policies and ignored fundamental best practices.

Some of the highlights in this episode include:

1. What were the background facts of the enforcement action?
2. What are the implications of a pre-GDPR enforcement action?
3. Why was the maximum fine levied?
4. What were the regulators findings?
5. What are the lessons learned for the data protection practitioner?
6. Where listeners can go for more information.

Resources

Cordery Breach Navigator

Cordery Client Alert “Client Alert: ICO Fines Cathay Pacific £500k for Data Security Breach”

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode of Life with GDPR, Jonathan Armstrong and Tom Fox consider the multiple data privacy/data protection risks which have arisen under the coronavirus health crisis.

 Some of the highlights in this episode include:

1. How does coronavirus impact GDPR compliance?
2. What issues arise with working from home?
3. What is consent and why is it so critical now?
4. What is the role of a DPIA in this process and why is it so critical?
5. Can you monitor employees working from home?
6. What about customer communications?
7. What are some basic best practices to minimize risk at this point?
8. What does this mean for companies and clients going forward?

Resources

Cordery Breach Navigator

Cordery Client Alert “Coronavirus and Data Protection”

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode of Life with GDPR, Jonathan Armstrong and Tom Fox have their first emergency podcast. Earlier this week, the Irish Data Protection Commission raided Facebook in Ireland over the company’s announced plan to begin a dating service on Valentine’s Day.

Some of the highlights in this episode include:

1. What is the to-do all about?
2. Do European data protection authorities have dawn raid powers?
3. What might the Irish Data Protection Commission have been looking for in this raid?
4. What is the role of a DPIA in this process and why is it so critical?
5. When should a DPIA be carried out?
6. How can a DPIA a mitigating or aggravating factor?
7. What is the importance of training around DPIAs?
8. What does this mean for companies and clients going forward?

Resources

Cordery Breach Navigator

Cordery Client Alert “Ireland’s Data Protection Authority Halts Facebook Dating Service”

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode of Life with GDPR, Jonathan Armstrong and Tom Fox are back to discuss the recent ICO announcement that it was extending the time for British Airways and Marriott to respond to its proposed fine and penalty. Some of the highlights in this episode include:

1. What makes the background of the case so complex?
2. What did the ICO say and why did they extend the deadline for BA to respond?
3. What are some of the possible reasons for the delay?
4. What if anything does Brexit have to do with this?
5. In view of Brexit, will the EU be watching the ICO in this matter?
6. What might be the relationship between the ICO and EU on data privacy going forward?
7. Background of British Airways (BA) enforcement action.

Resources

Is the BA Fine in the Departure Lounge?

Cordery Breach Navigator

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode Jonathan Armstrong and I consider the implications of GDPR enforcement going forward after Brexit. Recognizing the situation is incredibly fluid, there are nevertheless some areas of risk management that you can begin to prepare for in the event of a deal for an orderly Brexit, a no-deal Brexit or an extension of the deadline Some of the highlights in this episode include:

1. What does Brexit mean for GDPR enforcement?
2. How will the UK-ICO move forward after Brexit?
3. What are the implications of a no-deal Brexit? What can a company do to prepare at this point?
4. How will the Irish regulators react to Brexit?
5. What will Brexit mean for internal investigations, both in the UK and EU?
6. What happens if there is an extension?

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode of Life with GDPR, Jonathan Armstrong and Tom Fox are back to discuss the role of vendors in data breaches and the corporate response thereto. Some of the highlights in this episode include: 

How much due diligence did you perform on your vendors from the data protection risk perspective?How much due diligence did you engage in for any M&A activity or acquisitions?Do you have the full cooperation of your vendors in any data breach?What is the role of a vendor in responding to a data breach?Does your risk management strategy have a fall back if you have to terminate a vendor over a data breach?For more information on vendor data breaches, check out the following resource on the Cordery Compliance website, https://www.corderycompliance.com/dealing-with-a-data-breach/ . Also if you have not done so, check out the Cordery Breach Navigator here,  https://www.corderycompliance.com/solutions/breach-navigator/

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we conclude our three-part series of some of the key lessons learned from the first year of GDPR. Some of the issues and highlights are:

Remediate then report. The remediation of an issue before reporting can be the key issue for regulators on whether they will move forward with a more public spanking. It is important to show that you have learned lessons and applied them to the facts of your data breach. Don’t try and cheat the victims by imposing new contractual terms such as Equifax did in its recent settlement. Think of the simple way for a data breach to occur, a briefcase left on the Tube.

Don’t Diss the DPA. Why would a company take on the regulator? You must respect the regulator even if you disagree with them. You can make a bad situation worse by attacking the regulators. This does not mean you cannot forcefully argue you position or zealously represent you client but calling regulators idiots in public filings will not help you position or your case. 

Keep logs. This is important in case you need to revisit a decision later. Regulators can ask to see these logs at any time, not simply during an investigation or enforcement action. A compliance officer should be involved in the maintenance of the log system. Document Document Document. Unannounced inspections are beginning to occur.

Debrief and Learn. Revisit the facts to see what lessons are to be learned. Continuous improvement. Even on a journey of 1000 miles, it is important to look back. Once again if you make a change due to a breach or other event, document what you have done so you can show the regulators.

For more information on Cordery Compliance, go their website here.

For more information on data breaches, see here.

Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we continue our three-part series of some of the key lessons learned from the first year of GDPR. Some of the issues and highlights are:

DPIA Everything. It’s mandatory under GDPR. It is a process analysis so you will need Subject Matter Expertise. How often do you revisit DPIA? Regulators are beginning to look at the process of your DPIA. When new process comes into play, you should do a new DPIA. Do you require DPIA when you hire 3rdparty vendor or in the M&A situation? If not you should do so moving forward.

Do SARs and DSRs are real good.How do you deal with these types of request? More importantly do you have a centralized team to understand the reason behind the request. Who could make that analysis? Is it a work in progress for your organization? Robust response to SARs is critical, as they are here to stay as core component of GDPR.

Respect the time. Time limits are much more generous in the US. Some regulators suggest not to be obsessed with time. Will courts allow ‘reasonable delay’? Corporations trying to extend the 72 hour by time zone arguments and other ridiculous argument by US corporations. (Listen for the Thanksgiving Weekend exemption) Regulators can fine you for being late. Are US companies getting the message? It’s a mixed bag, some are not doing so.

For more information on Cordery Compliance, go their website here.

For more information on data breaches, see here.

Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we begin a three-part series of some of the key lessons learned from the first year of GDPR. Some of the highlights in this episode include:

Do you have a plan? You need to have a plan for a data breach because it is not if but when you will be hacked. Armstrong advises you can be two plans; one for all employees which is straight-forward so that all employees will be able to understand it. You should have a second plan, which you rehearse which is for all compliance/IT/data security. It should be process driven so it allows flexibility for those responding.

Know your data and know your third parties. Many companies have disaggregated data because they have so many vendors and platforms where data is stored. You must know who has your data. Do you have visibility into 3rd, 4thand 5thparties from the data perspective? You should also capture where data is going in an organization, particularly customer and employee data. Finally, and sadly overlooked by many US companies is the question of data protection of a US parent when a UK/EU sub is audited?

Assemble your data response team now and practice, practice, practice.You need to look at your data security response. What does the A Team teach you about data response? You should strive for strength in diverse skills and practice your response. Look at PR rapid response, your compliance, your legal response all in addition to your IT/data security response. Regulators looking at share price drop off, this shows the need for a rapid, practiced response.

For more information on Cordery Compliance, go their website here.

For more information on data breaches, see here.

Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices