Data Privacy Training
Specialised data privacy training for staff by function. We train staff based on role within your organisation
Secure Coding Training
We train your staff effectively on secure coding practices which align with privacy and app security controls
READ RECENT PRIVACY ARTICLES
FROM OUR BLOG
– LATEST-
The changing face of AI powered analytics and it’s impact on privacy & hiring processes
AI powered analytics is used by 89% of HR depts to pre-screen candidates across the globe. But is emotion analytics and the risk of racial and gender bias make it fit for purpose.
Spotlight on Zoom as they settle their class action suit
Spotlight on Zoom as they settle their class action suit for $86m and join the list of data privacy scoflaws dipping in the advertising dollars cookie jar.
What is the Electronic Privacy Regulation
In this article I talk about the new electronic privacy regulation (ePR) which will replace the ePrivacy directive of 2002/09
How to Secure WordPress
In this article we cover how to secure your wordpress from hackers and spammers using a few simple tips and precautions.
The CPRA act Explained in 10 Slides
In this web story we take a look at the CPRA act of 2020 and what this new stricter privacy regime means for California businesses and consumers.
What is GDPR & Data Privacy?
Whether you’re new to GDPR or you’ve been working with data privacy for awhile, it’s important to understand the basics of what it is and why it’s needed in the first place. The basic question for many people is, “what is GDPR?” and why does it matter?.
GDPR Primer
GDPR or general data protection regulations came into effect in May 2018 as a successor to the Data Protection Directive of 1995. The intention of the regulations was to create one set of rules for all EU states to follow when protecting personal data.
The regulations are mandatory as opposed to the data protection act which was a voluntary code of conduct and identifies three main parties in the data protection chain. These are a data controller, data processor and subject (an individual person) which I’ll explain shortly.
Why GDPR came into being?:
At a simple level, the rules came into place as a result of the age of big data and the internet and revelations around abuse of how our personal data was being monetised by ad-tech, data brokers, tech giants and others.
It’s widely believed that the revelations of Edward Snowden around US government mass surveillance programs which targeted US citizens but also inadvertently included EU citizens triggered alarm bells in Europe and pushed the issue of data protection to the fore.
Another major case recorded was Max Schrems vs Facebook Ireland in 2013 in an action where Schrems won.
The issue at hand was with respect to Facebook’s failure to get his consent to transfer his personal data back to the US for further processing. This of course had larger ramifications for all EU citizens data and how it was automatically transferred outside the EU without knowledge or proper supervision.
Data Privacy Trends
Over the last number of years, we’ve witnessed a surge in regulatory activity on a global scale. Last year, saw an incredible average of 220 regulatory change alerts per day in the financial sector alone. A ten fold increase over ten years.
We of course saw GDPR implemented in 2018 but this has spurred a raft of follow-up legislation internationally at the country and state level. I mentioned in my previous article What is GDPR? developments with the data protection acts of 2018 in Ireland and the UK.
These changes are essentially refinements and in some cases dilutions of GDPR regulations. But what about the US? Well in 2019, 5 US states alone implemented new or updated data privacy laws whilst in 2020, California implemented sweeping changes with it’s CCPA regulation (“What is CCPA?”:Related Article) while New York enacted it’s data privacy updates with the implementation of it’s Shield Act which strongly focuses on data safeguards, expands the definition of private (personal information) and strengthens it’s breach notification rules in instances where HIPAA or Graham-Leach-Bliley doesn’t take precedence.
Developments on international transfers have also been to the fore in 2020 with the ruling on the invalidity of the EU-US privacy shield “Privacy Shield is struck down”:Related Article muddying the waters for US companies doing business in the EU. It’s safe to say that each regulation has it’s own nuances which is further complicated by the fact that many companies operate under multi-jurisdictional data privacy rules which are often subject to conflicting interpretation.
Perhaps one of of the more interesting trends in compliance, is the rise of AI and underlying technologies. I refer back to my article on CCPA regulation and the section on Innovation Automation. Where I highlight 3 companies and their approach to specific data privacy challenges.
It’s apparent that regulated firms, globally, have been overwhelmed by the burden of regulation and they need automation and skilled resources such as legal compliance help, privacy practitioners (such as myself) and regtech solutions integrators to address the challenges.
Fines and reputational damage are too costly not to get it right anymore as the regulators seek to make examples as never before.
What is CCPA?
The California Consumer Protection Act or AB 375 came into effect in January of 2020 Building on pre-existing privacy laws such as CalOPPA and Shine the Light Law, CCPA was perhaps a logical step by the California state legislature to respond to mega breaches of the Equifax (147m records) variety and the reckless behavior of Facebook in the Cambridge Analytica scandal.
Applicability: It applies to any qualifying business, in any country who has customers or employees based in California. Qualifying businesses being those who have annual gross revenues in excess of $25 Million or trades data on more than 50,000 customers annually or derives 50% or more of it’s annual revenue from selling personal information.
Sanctions: California consumers may invoke the new law where enforcement actions may include a $2,500 penalty per record for an unintentional violation and $7,500 penalty for an intentional violation. (If Cambridge Analytica happened today, that would be 50 million multiplied by $7,500 or 375 with nine zeros).
At a lower level, the act allows a “Private right of action” for California Residents, allowing claims of $100 to $750 per incident, whether actual harm is proven or not. This law is tied to the recently updated California Data Breach Notification Law AB 1130 which defined data in scope including driver’s license, social security number, email address, account numbers, as well as medical, health and biometric information.
More >>
GDPR | CCPA – 10 Steps to Designing the Right Data Protection Program
In a recent report by DLA Piper data breach notifications topped 160,000 and fines reached 114 million Euro ($126m) since GDPR rules came into effect in the EU in May 2018. The largest of which was recorded in France for 50m Euro against Google for GDPR violations.
Well, let me start by saying, I’m sorry to be alarmist, but it’s my job in security to be the squeaky wheel sometimes. So, in this article I hope to set you in the right direction if you have more than a passing interest in privacy by design (PbD) and data protection regulations, in particular how EU and US registered businesses in a post privacy shield era can better prepare for GDPR and CCPA regulations using a 10 point plan. The plan has been designed more toward medium to large size regulated firms given that budget constraints for security controls like IAM and the ability or requirement to hire a data protection officer maybe beyond reach of smaller firms.
In order to prime you for these steps, may I recommend that you have a glance at the GDPR FAQ’s from the EU commission press office, CCPA guidance from the Office of the Attorney General in California and New York Shield Act text from the NY Senate which is useful at a high level.
Why is Privacy Awareness so Important?
Over 90% of data breaches and complaints today are caused by simple, avoidable mistakes like clicking on email links, opening attachments and forwarding personal data to the wrong parties.
These mistakes are costly not only in terms of fines, reputational damage & lost productivity, but also in time. Time to respond to regulatory requests, customer queries, getting systems back online, investigatory work and more. And on top of all of this, if you process a few thousand customer data records annually, then you are required to comply with awareness training requirements. That’s why we created economical solutions to meet these demands which are available as downloadabes on our online store. To visit our store, click the button below.
Our Privacy Policy
.