But European Commission warns adequacy could be revoked ‘immediately’

The UK has adequate standards of data protection, the EU Commission ruled yesterday, allowing businesses to breathe a sigh of relief. This decision means that data can continue to flow between the UK and EU, despite the UK now being a ‘third country’. Several other countries including Uruguay, Canada and New Zealand are considered to have adequate standards of data protection by the EU. Without an adequacy decision, data flows between the UK and EU would have been severely disrupted, requiring a wholesale review of clauses and contracts to ensure data could be transferred as it is now between the EU and third countries such as South Africa, India and China.

While the adequacy decision has been adopted for four years, Didier Reynders, the European commissioner in charge of data protection, said the adequacy decision could be withdrawn “immediately” if the commission had serious concerns. 

Your questions answered on the international data transfer component of GDPR

On Friday, 4 June 2021, the European Commission published the long-awaited Standard Contractual Clauses (SCCs) to help European companies transfer data outside of the EEA.

Organisations can carry on using the current SCCs for a further 3 months and 20 days, until 24 September, 2021. Then there will be 18 months and 20 days to get the new SCCs in place. This means that GDPR organisations must ensure that all vendor contracts and intra-group agreements contain the new SCCs by 24 December, 2022.

On the three year anniversary of GDPR coming into force, VinciWorks hosted a webinar to look at the last three years of GDPR. We explored the effect the regulation has had on the way we collect and process data and what we can expect in the next 12 months.

During the webinar, we shared a conversation between our Director of Learning and Content Nick Henderson and our Data Protection Officer Ruth Mittelmann Cohen in which Ruth shared the inside scoop regarding the ins and outs of being a DPO. They discussed a DPO’s responsibilities, the challenges of being a DPO, as well as best practice with regard to GDPR within an organisation. In this blog, we’ll share with you some of the insights from that conversation and see what we can learn from it about GDPR best practice within organisations.

GDPR – Three years on: Watch the full webinar here

Since the EU’s General Data Protection Regulation (GDPR) came into force three years ago, there have been fines reaching a total of over €280 million, the UK left the EU and the ICO has announced that there will be a new Commissioner from October.

The ICO (Information Commissioner’s Office) is the UK’s independent authority set up to uphold information rights. The organisation aims to promote openness by public bodies and data privacy for individuals. Part of their role is to help ensure organisations meet their information rights obligations and take action when they don’t.

What can we learn from some of the GDPR offences committed and ICO penalties levied over the past few years? How can we avoid becoming the next casualty? Let’s look at a few examples and break them down. 

Ticketmaster 

What happened?

Ticketmaster, the popular online ticket purchasing platform, was fined £1.25 million in November 2020 for failing to keep its customers’ personal data secure. The data breach was caused by a cyber-attack on a chat-bot installed on its online payment page. The attack exposed names, payment card numbers, expiry dates and CVV numbers of up to 9.4 million of Ticketmaster’s customers across Europe and the UK.

Major GDPR fines reach a collective €270 million

Since GDPR came into force in May 2018, there have been almost €270 million worth of major fines (those with a value of over €100,000) handed to a total of 50 companies. Companies who have been hit with these fines include Google, British Airways, Marriott Hotel Group and many other big names. A transparent reporting process will help companies identify data breaches, mitigate the risks and take any action required to ensure a data breach doesn’t happen again.

Best practice for reporting personal data breaches

The EU’s General Data Protection Regulation (GDPR) requires organisations to report certain types of personal data breaches to relevant supervisory authorities. Where feasible, you must do this within 72 hours of becoming aware of the breach.

Fear is a great motivating factor for people to start complying with previously ignored rules and regulations – whether that applies to COVID19 or GDPR. Take for instance the increasing number of anti-maskers suddenly masking up following spiking numbers of COVID-19 deaths in their area. Like most of us not believing authorities’ dire predictions until they hit home, people still tend to be reactive rather than proactive – and even more so when an ongoing situation is rife with uncertainty.

The story of GDPR preparedness seems to follow a similar path. Although introduced in May 2018, with no dearth of heavy fines hitting businesses, there are still an overwhelming number of EU, US and UK businesses that are not fully GDPR compliant, with some that not yet even have begun their GDPR initiatives.

Like COVID-19, GDPR doesn’t seem to be going away anytime soon, although some businesses would probably like it to. So why, after more than two years, are so many organisations unable to rise to the challenge?