As COVID-19 restrictions are lifted and businesses begin to return to the office, companies are taking a variety of approaches to managing the transition. While some are staying at home for now and others have gone back full time, most are opting for a hybrid working policy. While this might be a sensible and fair solution for the time being, having staff work both at home as well as the office raises several data security and GDPR compliance concerns.
In this webinar, Director of Best Practice Gary Yantin and Director of Learning and Content Nick Henderson will explore the key things you need to remember to keep data safe during the latest transition.
The webinar will cover:
How companies are transitioning back to the office
How hybrid working works
Data protection risks in a hybrid working environment
How hackers and scammers took advantage during the pandemic
Best practice for data security with hybrid working
But European Commission warns adequacy could be revoked ‘immediately’
The UK has adequate standards of data protection, the EU Commission ruled yesterday, allowing businesses to breathe a sigh of relief. This decision means that data can continue to flow between the UK and EU, despite the UK now being a ‘third country’. Several other countries including Uruguay, Canada and New Zealand are considered to have adequate standards of data protection by the EU. Without an adequacy decision, data flows between the UK and EU would have been severely disrupted, requiring a wholesale review of clauses and contracts to ensure data could be transferred as it is now between the EU and third countries such as South Africa, India and China.
While the adequacy decision has been adopted for four years, Didier Reynders, the European commissioner in charge of data protection, said the adequacy decision could be withdrawn “immediately” if the commission had serious concerns.
On the three year anniversary of GDPR coming into force, VinciWorks hosted a webinar to look at the last three years of GDPR. We explored the effect the regulation has had on the way we collect and process data and discussed what we can expect in the next 12 months.
During the webinar we shared a conversation between our Director of Learning and Content Nick Henderson and Richard Hogg, who is the global Information Governance Director for White & Case LLP. Hogg, who has 20 years of global experience in the field, is responsible for global information governance across the firm. He previously worked at IBM, where he played a critical role in their journey to preparation for GDPR, and he speaks regularly on topics of privacy and information governance. Richard shared his expert perspective on GDPR and his views on the future of data protection.
Your questions answered on the international data transfer component of GDPR
On Friday, 4 June 2021, the European Commission published the long-awaited Standard Contractual Clauses (SCCs) to help European companies transfer data outside of the EEA.
Organisations can carry on using the current SCCs for a further 3 months and 20 days, until 24 September, 2021. Then there will be 18 months and 20 days to get the new SCCs in place. This means that GDPR organisations must ensure that all vendor contracts and intra-group agreements contain the new SCCs by 24 December, 2022.
On the three year anniversary of GDPR coming into force, VinciWorks hosted a webinar to look at the last three years of GDPR. We explored the effect the regulation has had on the way we collect and process data and what we can expect in the next 12 months.
During the webinar, we shared a conversation between our Director of Learning and Content Nick Henderson and our Data Protection Officer Ruth Mittelmann Cohen in which Ruth shared the inside scoop regarding the ins and outs of being a DPO. They discussed a DPO’s responsibilities, the challenges of being a DPO, as well as best practice with regard to GDPR within an organisation. In this blog, we’ll share with you some of the insights from that conversation and see what we can learn from it about GDPR best practice within organisations.
The EU’s General Data Protection Regulation (GDPR) has now been in force for three years. During that time, fines have reached a total of over €280 million, the UK has left the EU and the ICO has announced that there will be a new Commissioner from October.
On the three year anniversary of GDPR coming into force, we were joined by White & Case LLP’s Global Information Governance Director Richard Hogg and VinciWorks’ DPO Ruth Mittelmann Cohen to look at the last three years of GDPR. We will explore the effect the regulation has had on the way we collect and process data and what we can expect in the next 12 months.
The webinar covered:
What can we learn from recent GDPR fines?
Does Brexit affect data protection regulation in the UK?
Since the EU’s General Data Protection Regulation (GDPR) came into force three years ago, there have been fines reaching a total of over €280 million, the UK left the EU and the ICO has announced that there will be a new Commissioner from October.
The ICO (Information Commissioner’s Office) is the UK’s independent authority set up to uphold information rights. The organisation aims to promote openness by public bodies and data privacy for individuals. Part of their role is to help ensure organisations meet their information rights obligations and take action when they don’t.
What can we learn from some of the GDPR offences committed and ICO penalties levied over the past few years? How can we avoid becoming the next casualty? Let’s look at a few examples and break them down.
Ticketmaster, the popular online ticket purchasing platform, was fined £1.25 million in November 2020 for failing to keep its customers’ personal data secure. The data breach was caused by a cyber-attack on a chat-bot installed on its online payment page. The attack exposed names, payment card numbers, expiry dates and CVV numbers of up to 9.4 million of Ticketmaster’s customers across Europe and the UK.
PECR refers to the EU’s Privacy and Electronic Communications Regulations 2003, a law that governs how businesses are allowed to market to customers using electronic technology. The law is wide-reaching as it covers all industries and is applicable across the board. Breaches of PECR can leave company directors personally liable for fines of up to £500,000 per breach. PECR is applicable across the EU and the UK, and the law in the UK as it applies now will not be affected by Brexit.
Since GDPR came into force in May 2018, there have been almost €270 million worth of major fines (those with a value of over €100,000) handed to a total of 50 companies. Companies who have been hit with these fines include Google, British Airways, Marriott Hotel Group and many other big names. A transparent reporting process will help companies identify data breaches, mitigate the risks and take any action required to ensure a data breach doesn’t happen again.
Best practice for reporting personal data breaches
The EU’s General Data Protection Regulation (GDPR) requires organisations to report certain types of personal data breaches to relevant supervisory authorities. Where feasible, you must do this within 72 hours of becoming aware of the breach.
Fear is a great motivating factor for people to start complying with previously ignored rules and regulations – whether that applies to COVID19 or GDPR. Take for instance the increasing number of anti-maskers suddenly masking up following spiking numbers of COVID-19 deaths in their area. Like most of us not believing authorities’ dire predictions until they hit home, people still tend to be reactive rather than proactive – and even more so when an ongoing situation is rife with uncertainty.
The story of GDPR preparedness seems to follow a similar path. Although introduced in May 2018, with no dearth of heavy fines hitting businesses, there are still an overwhelming number of EU, US and UK businesses that are not fully GDPR compliant, with some that not yet even have begun their GDPR initiatives.
Like COVID-19, GDPR doesn’t seem to be going away anytime soon, although some businesses would probably like it to. So why, after more than two years, are so many organisations unable to rise to the challenge?