After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.

Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.


Continue Reading Retailers, Consent and the GDPR: Is Your Business in Breach?

On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. Are you ready?

Who’s affected?  

Organizations, anywhere in the world, that process the personal data of European Union (EU) residents should pay attention to GDPR and its territorial scope.

If you collect personal data or behavioral information from someone in the EU

The GDPR (General Data Protection Regulation) will be applicable as of May 25, 2018. The (high) level of penalties under the GDPR will become one of the core issues for companies. Indeed the GDPR is based on the European fundamental rights to privacy and data protection and could potentially apply outside the European Union.

In

The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.

It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.

In its report, the WP29 focuses on guarantees of enforcement and efficiency.
Continue Reading The WP29 Issues an Ultimatum to Improve the Privacy Shield

In early 2017, the EU Commission published a communication about Exchanging and Protecting Personal Data in a Globalized World in which the EU Commission prioritizes discussions on possible adequacy decision with key trading partners, starting from Japan and South Korea in 2017.  More particularly, on July 3, 2017, the EU Commission and a

The UK Government will introduce a new Data Protection Bill (the “Bill”) this year. As highlighted in the Queen’s speech back in June, the Government has committed to introduce the new law and, on Monday, published a Statement of Intent.

The Bill will not change the position that the EU’s new data protection legislation

The Article 29 Data Protection Working Party (comprising representatives from the data protection regulators in each EU Member State, the European Data Protection Supervisor and the European Commission) has issued an opinion on data processing at work (2/2017) (the Opinion).  The Opinion is not legally binding but it does provide an indication as to how EU data protection regulators will consider and interpret EU data protection law.  The new EU data protection law (the General Data Protection Regulation – or the GDPR) comes into force on 25 May 2018 and will impose significant fines on non-compliant organizations (up to 4% of annual worldwide turnover or €20 million, whichever is higher) in addition to giving individuals more rights with regard to their personal data.  The GDPR does not only apply to EU companies, but can also apply to non-EU based organizations processing EU citizens’ personal data.

The Opinion notes that in light of the increasing amount of personal data that is being processed in the context of an employment relationship, the balance between the legitimate interests of the employer and the privacy rights of the employee becomes ever more important. It provides guidance on a number of specific scenarios including the use of social media during recruitment. Nowadays, employers may be tempted to view job applicants’ social media profiles as part of the recruitments process. However, according to the Opinion, employers may only use social media to find out information about a job applicant where: (a) they have a “legal ground” for doing so; (b) doing so is necessary and relevant for the performance of the position being applied for; (c) the applicant has been informed that their social media profiles will be reviewed; and (d) the employer complies with all of the data protection principles set out in the law.

What steps should your organization take if it wishes to review social media profiles as part of the recruitment process while also complying with the Opinion and EU data protection law?
Continue Reading New Guidance Issued by EU Data Protection Regulators – Does Your Organization Use Social Media During Recruitment?

The UK government launched its 5-year National Cyber Security Strategy in November 2016, investing a reported £1.9 billion to protect UK businesses from cyber-attacks and make the country the safest place to live and do business online. This strategy has included the opening of the National Cyber Security Centre (part of GCHQ) and the creation of campaigns to support businesses with expert guidance on cyber security, such as Cyber Aware and Cyber Essentials.

More recently, on 19 April, the government produced its report into cyber security breaches, based on a survey of over 1500 UK businesses. According  to the government report, just under half of all UK businesses suffered at least one cyber security breach or attack in the last 12 months, yet only 1 in 10 businesses have a cyber security incident management plan in place and only a third have a formal policy that covers cyber security risks. The average cost of a breach is said to be around £20,000, but this is a conservative estimate and for many larger companies the cost is much more, not least in monetary terms. The risk of negative publicity and damage to reputation remains high, even when security measures are adopted and insurance cover is in place, so it is no wonder that businesses are confused about what to do to protect themselves and the data they hold. The danger is that companies do not sufficiently address the problems, perhaps because it seems impossible to eliminate the threat completely, or they are put off by scaremongering tactics by InfoSec consultants or cyber insurance brokers.

Cybersecurity should be a priority for company directors. Under the Companies Act 2006, they have a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the performance of their role. Failing to adopt and maintain appropriate security measures to protect personal data and confidential information against cyber-attacks could be considered a breach of these duties and expose the company and individual directors to legal liabilities, including fines and claims for compensation, under data protection legislation and potential action from regulators, such as the ICO or FCA, for businesses in the financial sector.
Continue Reading UK Cyber- Security Breaches Survey