All Compliance related articles
Since its adoption the EU’s General Data Protection Regulation (GDPR) has created a domino effect around the world, with many countries moving forward with proposals for new data protection regulations or updates to existing ones. From Brazil’s Data Protection Bill of Law to China’s Internet Security Law, it seems data protection legislation is on every country’s agenda.
Australia is no different. In fact, it was one of the countries to get a head start in aligning its 1988 Privacy Act to some of the new concepts and requirements introduced by the GDPR. The Privacy Amendment (Notifiable Data Breaches) Act 2017 was adopted in November 2017 and actually came into force before the GDPR, on 22 February 2018.
As its name suggests, the Notifiable Data Breaches (NDB) scheme introduced mandatory data breach notifications into Australia’s Privacy Act 1988. It puts organizations…Read more
It’s been over two months since the EU’s General Data Protection Regulation (GDPR) has come into force on May 25th and, after a feverish rush for compliance overtook all businesses, a period of relative calm followed in the wake of its implementation. Whether this was because both organizations and users suffered from an oversaturation of GDPR-related content, updated privacy policies and consent requests or the new regulation has yet to shed its training wheels, the GDPR has effectively left the limelight.
That being said, if it’s not making headlines as it did a year ago, the GDPR is leaving its mark on the data protection field by being the first legislation of its kind to tackle present-day dangers to data security and companies’ accountability to their customers and the law in the face of these threats.
The post-GDPR world is one full of anxiety and opportunity. Many companies…Read more
Health data, due to its sensitive nature, has always been considered a special category of data and invariably falls under the jurisdiction of data protection regulations. Under the EU’s new General Data Protection Regulation (GDPR), it is explicitly classed as a special category of personal data under article 9 which requires the strict application of the regulation’s requirements. In the US, health data falls under the incidence of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), two interconnected acts which together guarantee its protection.
Regulated by the Department of Health and Human Services (HHS), HIPAA is enforced by the Office of Civil Rights (OCR), outlines the lawful use and disclosure of protected health information (PHI) and guarantees its …Read more
The last two weeks have been met with varying degrees of panic by companies big and small trying to finalize GDPR compliance before the new legislation’s enforcement on 25 May 2018. What feels like a million emails were sent with updated privacy policies and requests for continued subscription. But now that the dreaded deadline is here, how will companies fare in this brave new GDPR-compliant world? Let’s have a look at some of the key factors to consider.A country by country case
As a regulation, the GDPR is applicable across all member states without the need for each country to pass national laws. However, each member state has its own data protection laws which will need to be aligned to the GDPR.
The new regulation also contains more than 70 opening clauses which allow member countries to modify the provisions set within them to implement stricter or laxer rules than those set out …Read more
The Clarifying Lawful Overseas Use of Data (CLOUD) Act was signed into law by the US President on March 23rd as part of the 2,000-page Spending Bill. The new piece of legislation addresses a controversial debate that has been raging in the US since the notorious United States v. Microsoft case, in which the tech giant refused to hand over data stored on its Irish servers to the FBI, first made headlines: can US law enforcement officials request access to data stored in another country by a company operating in the US?
CLOUD settles the argument firmly on the side of law enforcement by making it easier for them, whether they are local police or federal forces, to directly request that US tech companies hand over data regardless of where it is stored. The executive branch will also now have the power to sign executive agreements with foreign governments that want access to data stored in the US, all…Read more
As we enter the home stretch towards the enforcement of the EU’s General Data Protection Regulation (GDPR), with only three weeks to go until 25 May 2018, we take a closer look at one of the key requirements of the new legislation: Data Protection Impact Assessments (DPIAs).
Meant to help companies identify, assess and minimize the data protection risks of projects, DPIAs are not necessarily a new idea. A similar concept, Privacy Impact Assessments (PIAs), have been widely considered to be valuable tools for companies looking to reduce risks resulting from their data processing activities. However, because of the lack of an industry-wide agreement on how these should be conducted, companies have often found themselves at a loss when it came to carrying them out.
Through DPIAs, the GDPR has now made assessments mandatory by law in the case of processing activities which may result…Read more
The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) has taken a very active role in clarifying what French businesses’ responsibilities will be under the EU’s General Data Protection Regulation (GDPR), coming into force on 25 May 2018. Issuing everything from guidelines for processors and SMEs to toolkits and templates, CNIL has taken a hands-on approach to demystifying the GDPR and providing clear steps towards achieving compliance.
The French DPA sees the GDPR as having a strong focus on accountability and transparency which are reflected in the regulation’s emphasis on creating products and services that take into consideration data protection by design and by default as well as the establishment of internal policies, procedures and tools that guarantee an optimal protection of individuals’ personal…Read more
Time is ticking: the implementation of the EU’s General Data Protection Regulation (GDPR) is less than 7 weeks away and companies are still struggling to come to terms with compliance. While some have already passed their audits and feel confident as we draw nearer to finding out the full extent of the GDPR’s enforcement, others are just now taking the first precautionary steps towards compliance.
Among the many requirements organizations must comply with, the right to erasure is one of the thorniest. A recent survey by big data application provider Solix found that 65% of respondents were unsure whether their companies can fully and permanently purge personal information from their systems. But what does the right to erasure imply, who does it apply to and, more importantly, what must companies do to comply with it? Let’s find out!The right to be forgotten and the right to erasure…Read more
With the GDPR implementation around the corner, companies processing EU data subjects’ personal information need to step up their data protection policies and take decisive action to reach compliance. Under the new legislation, organizations will no longer have the luxury of putting data security low on their priorities list or feign ignorance about their data processing practices. They will be held accountable in the eyes of the law and will have to demonstrate their compliance with GDPR requirements to data protection authorities.
One of the first steps companies must take in this direction is to become aware of the way data is handled within their organizations. This implies a deep understanding of EU data subjects’ rights as well as the principles enshrined in the GDPR that relate to the processing of personal data.
Under the GDPR, sensitive information must be processed…Read more
Earlier this week, the Center for Internet Security (CIS) released the latest version of their Top 20 Critical Security Controls, a ground-breaking set of globally recognized best practice guidelines for securing IT systems and data. The Critical Security Controls were first developed by the SANS Institute in 2008 and were later transferred to CIS in 2015. The guidelines are continuously being revised and refined by a volunteer global community of experienced IT professionals.The Six Basic Controls
Most major security incidents occur when even basic controls are lacking or are poorly implemented. A study of the previous version of the controls showed that 85% of cyberattacks can be prevented by the adoption of the then first five Critical Security Controls alone. Applying all twenty can prevent as much as 97% of attacks.
The first six controls were therefore developed…Read more