The EU-US Privacy Shield is no more. In a dramatic move, the European Court of Justice ruled the agreement covering the transfer of EU citizens’ data to the US is invalid as of 16 July 2020.
What is the Privacy Shield?
The Privacy Shield is used as a mechanism for data transfer for over 5,000 companies to ensure that data subject to GDPR standards is kept secure and safe when held in the US.
Since the Privacy Shield is no longer in effect, companies will have to rely on other mechanisms such as standard contractual clauses (SCC’s) and binding corporate rules (BCR’s) to maintain transatlantic data transfers.
It is important to note that this ruling does not concern what’s known as ‘necessary’ data transfers, like sending an email to book a hotel or finalise a contract. This ruling is about the bulk outsourcing of data covered by GDPR, that is EU citizen’s data, to the US. This is often done for cost reasons or because the business is based in the US.
Long term, this ruling could mean more EU data is processed closer to home. However, in the short term, any data which is transferred using the Privacy Shield mechanism should be reassessed and a new framework put in place, at least temporarily, to reduce any interruption to the data flow.
Over half of the world is currently under lockdown, and one of the greatest challenges many organisations face is how to keep operating as close to normal as possible during this time. Unfortunately, during these times, compliance can often take a back seat, but GDPR hasn’t gone away.
In our 20-minute on-demand webinar, our Director of Learning and Content Nick Henderson takes us through the key things you need to remember to keep data safe during the current coronavirus crisis. He also gives guidance on how to ensure you prevent GDPR breaches while working remotely.
Due to the recent spread of the novel Coronavirus (COVID-19), many employees have been forced for various reasons to work out of the office. As the virus spreads across Europe and global cases approach 100,000, the British government warned that one in five workers in the UK could be off sick during a Coronavirus peak, with many more likely to be in self-isolation due to having returned from certain destinations or having come into contact with infected individuals. Additionally, some organisations have temporarily closed their offices and told workers to work from home as a precautionary measure.
Keeping data safe and secure inside an office is one thing. Keeping it safe outside the office can be trickier. With that challenge in mind, we’re here to present you with seven vital tips on how to keep yourself and your organisation safe from a GDPR and cyber-security perspective when working remotely.
On 31 January 2020, the UK’s membership in the EU ended, and Britain entered a transitional period that will last until 31 December 2020. To prepare for the change, there was a flurry of Brexit-related legislation passed. One central piece of legislation with a wide-ranging impact that changed is GDPR, which has been replaced in UK law with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The impact of Brexit on each business will depend on its type and the locations in which they collect and process data, but there is sure to be some level of impact for everyone.
A number of our courses required minor amendments following the UK’s departure from the EU on 31 January 2020. Mainly, these changes affected our suite of data protection training, which now includes an opening paragraph making it clear that mentions of GDPR in the course refer to both the EU GDPR rules as well as UK GDPR rules, unless otherwise stated.
178 notifications per day just in the first half of 2019
A total of £100m in fines
Here are some of the recent fines that regulating authorities have issued and guidance on how to make sure your business stays on the right side of GDPR.
Four GDPR fines we can learn from
British Airways – £183m (under appeal)
The airline was victim to a cyber attack where the personal data of 500,000 customers was stolen by hackers through a fake website. The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said. The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.
Why are they being fined?
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
From Friday 31 January 2020, European rules and regulations stopped having effect in the UK by virtue of the fact that the UK’s membership in the EU will end. Britain has now entered a transitional period which will last until 31 December 2020.
To prepare for this change, the government passed a flurry of Brexit-related legislation in recent years. The one relating to data protection is the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
How much of an impact will Brexit have on business?
While there is sure to be some level of impact for everyone, the impact of Brexit on each business will depend on the type of business and, most importantly, in which jurisdiction they collect and process data. Due to the Brexit transition period, the impact is unlikely to be immediate.
27% of our listeners have suffered a data breach since GDPR came into force
On 31 January 2020, the UK will leave the European Union, and GDPR as we know it will come to an end.
From exit day, the GDPR we have become familiar with will disappear from the statute book and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will come into effect. This will result in hundreds of changes to both the GDPR text in UK law and the Data Protection Act 2018.
In this webinar, our Director of Course Development Nick Henderson and DPO Ruth Cohen helped organisations understand what data protection looks like in a post-Brexit world.
The webinar covered:
How Brexit will impact on UK data protection law
What changes organisations, DPOs and compliance officers need to make to their policies and procedures
The most recent GDPR cases from across the UK and Europe
It’s hard to think of something going on longer than Brexit, but the ePrivacy rules might just be it.
What is the ePrivacy regulation?
The existing 2002 ePrivacy regulation covers electronic communications. This means email marketing, cookies on websites, and privacy in electronic communications. The existing one was meant to be updated and implemented with GDPR in May 2018, but… it hasn’t happened.
The goal of a new ePrivacy regulation is to develop a regulatory framework for machine-to-machine communications and the internet of things.
It might sound like a Daily Mail headline, but don’t dismiss this as political correctness gone mad just yet. Your company Christmas cards could very well result in a data protection violation.
Santa Claus checks his list twice, and so should you. Keeping marketing lists up to date is vital for GDPR compliance and sending out the annual Christmas card is no different than any other mass mailing. Are there people on the list who’ve objected to receiving marketing information, or former customers your business hasn’t dealt with in years? Strike them off. The last thing you’ll need in the new year is a flurry of data protection complaints.