WTF is GDPR?

https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.

221 Comments

  1. Tomi Engdahl says:

    Mark Scott / Politico:
    Activists and some legislators say that a GDPR-like bill to give Washington state some of the toughest privacy standards in the US was diluted by tech lobbyists

    How lobbyists rewrote Washington state’s privacy law
    https://www.politico.eu/article/how-lobbyists-rewrote-washington-state-privacy-law-microsoft-amazon-regulation/

    Washington state was writing European-style legislation. Then corporate lobbyists got involved.

    Reply
  2. Tomi Engdahl says:

    GDPR Conformance Does Not Excuse Companies from Vicarious Liability
    https://www.securityweek.com/gdpr-conformance-does-not-excuse-companies-vicarious-liability

    The UK supermarket chain Morrisons’ legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU’s General Data Protection Regulation (GDPR).

    Reply
  3. Tomi Engdahl says:

    Steve Ranger / ZDNet:
    UK’s tax authority to delete records of ~5M people from its Voice ID biometric voice security system because it did not have clear user consent, violating GDPR

    HMRC to delete five million biometric voice records
    https://www.zdnet.com/article/hmrc-to-delete-five-million-biometric-voice-records/

    ‘Biggest ever’ deletion of biometric data by government comes after HMRC obtained data “unlawfully” according to privacy regulator.
    Steve Ranger

    Reply
  4. Tomi Engdahl says:

    UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs
    Yes, yes, yes, we’ve told the ICO we are doing so, says HMRC
    https://www.theregister.co.uk/2019/05/03/hmrc_bashed_for_5m_voice_slurp/

    Reply
  5. Tomi Engdahl says:

    Pitääkö data poistaa nauhaltakin, jos joku pyytää? – näin gdpr vaikuttaa varmistusnauhoihin
    https://www.tivi.fi/uutiset/tv/a1d81059-6027-44a4-8e54-77e787b7915f

    EU on säätänyt kansalaisille mahdollisuuden vaatia verkkopalveluilta omien tietojensa poistamista.

    Tallennuslaitteita myyvän MultiComin toimitusjohtajan Timo Danilotschkin mukaan tietojen poistamiseen liittyy dilemma: tietojen säilyttämisvelvollisuudet voivat olla ristiriidassa EU:n suoman oikeuden tulla unohdetuksi kanssa.

    ”Jos datanpoistopyyntö on oikeutettu ja niin tehdään, voidaan samalla loukata tiedon historiallista eheyttä koskevia tai muita säädöksiä, kuten esimerkiksi kirjanpidon talleaikoihin liittyviä säädöksiä. Myöhemmin voisi olla oikeustapaus, jossa tarvitsisi todistaa, että mitä tallennettu tieto oli aiemmin, niin silloin jouduttaisiin ongelmiin, jos tietoa on jälkikäteen käpälöity”, Danilotchkin selittää.

    Ainoa käytännöllinen tapa noudattaa molempia säädöksiä samaan aikaan olisi pitää operatiivinen ja varmistuskäytössä oleva data erillään.

    Reply
  6. Tomi Engdahl says:

    ”Gdpr vaikutti paljon” – tietosuojavaltuutetun työmäärä kasvoi voimakkaasti
    https://www.tivi.fi/uutiset/tv/d9517940-c8ac-4ee3-ae70-a28dbdf9c676

    Reply
  7. Tomi Engdahl says:

    Where GDPR goes next: How digital privacy is taking over the world
    https://www.zdnet.com/article/where-gdpr-goes-next-how-digital-privacy-is-taking-over-the-world/

    One year on from the EU introducing its data protection laws, the impact is spreading around the world.

    Designed to update the privacy rights of internet users and ensure organisations are transparent and responsible when handling the personal information of customers and clients, the European Union’s General Data Protection Regulation (GDPR) laws came into force on May 25 last year.

    GDPR was designed to protect EU citizens’ data, but the open nature of the web inevitably means it has an impact beyond its own shores. Even companies outside of the EU will often have to comply with the data protection legislation – for example, if they offer goods or services to EU citizens or if they have a branch somewhere within the trading bloc.

    This extended reach of GDPR has lead to some unexpected outcomes. One example: European internet users looking to visit some US-based news publications may find that they can’t view the websites – instead being met with pages explaining the publication didn’t comply with the new legislation and blocked them out instead.

    Some eventually found solutions to this, while a year on from the legislation being introduced some US publications continue to only show a holding page to European visitors.

    “To a large extent in the US, most users attribute GDPR with an influx of cookie notifications and see it as an annoyance, rather than what it is: an attempt by regulators to give the consumer a level of visibility and control over what data is being collected about them,” says Tim Mackey, senior technical evangelist at Synopsys.

    But soon enough, even for businesses that have no involvement with the EU, there may be no hiding from data protection legislation as countries and regions around the world look to implement their own privacy laws, including Brazil, Japan, South Korea, India and others.

    One of those is the home of Silicon Valley, California, which is set to introduce the California Consumer Privacy Act as of January 1 2020.

    Apple CEO Tim Cook has called for the US to introduce an equivalent to GDPR to prevent data being weaponised against users. Facebook CEO Mark Zuckerberg recently spoke about how privacy will be the future of Facebook – even although he admits himself that some may find that hard to believe.

    Reply
  8. Tomi Engdahl says:

    Alfred Ng / CNET:
    On the first anniversary of GDPR, Microsoft calls for a similar privacy law in the US that puts the burden on the companies that collect and use sensitive data — Microsoft’s idea of a US privacy law would make it easier for people to protect their data. — The company’s corporate vice president …

    Microsoft wants a US privacy law that puts the burden on tech companies
    https://www.cnet.com/news/microsoft-wants-a-us-privacy-law-that-puts-the-burden-on-tech-companies/

    Europe’s privacy law went into effect nearly a year ago. It’s time for the US to catch up, the tech giant says.

    Reply
  9. Tomi Engdahl says:

    Matthew Wall / BBC:
    Since GDPR, Ireland’s Data Protection Commission says it has launched 19 cross-border investigations, 11 of which focus on Facebook, WhatsApp, and Instagram — Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic …

    How Ireland became Europe’s data watchdog
    https://www.bbc.com/news/business-48357772

    Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic of Ireland since the European Union’s new data protection regulation came into force a year ago.

    Reply
  10. Tomi Engdahl says:

    Philip Nabben / Lexology:
    In the year since GDPR took effect, a look at the first wave of decisions and fines issued by data protection authorities in EU countries — European Union, France, Germany — On Saturday 25 May 2019, the EU General Data Protection Regulation (GDPR), which aims to protect personal data including …

    The GDPR: one year on
    https://www.lexology.com/library/detail.aspx?g=c04317e4-4fc9-43b4-ab6d-bb19210c812d

    Reply
  11. Tomi Engdahl says:

    One Year on, EU’s GDPR Sets Global Standard for Data Protection
    https://www.securityweek.com/one-year-eus-gdpr-sets-global-standard-data-protection

    The EU’s strict data laws have set the global benchmark for protecting personal information online since coming into force a year ago, but some worry that many users have barely noticed the change.

    The “General Data Protection Regulation” (GDPR), launched on May 25 last year, enhances the rights of internet users and imposes a wide range of obligations on companies, including that they request explicit consent to use personal data collected or processed in the European Union.

    Reply
  12. Tomi Engdahl says:

    One Year on, EU’s GDPR Sets Global Standard for Data Protection
    https://www.securityweek.com/one-year-eus-gdpr-sets-global-standard-data-protection

    The EU’s strict data laws have set the global benchmark for protecting personal information online since coming into force a year ago, but some worry that many users have barely noticed the change.

    Reply
  13. Tomi Engdahl says:

    Analysis Shows Poor GDPR Compliance in European Websites
    https://www.securityweek.com/analysis-shows-poor-gdpr-compliance-european-websites

    Marking the one-year anniversary of GDPR coming into force (May 25, 2018), a web-scanning service has analyzed the visible GDPR compliance of the 100 most popular websites in each of the 28 European member states. The scan is non-intrusive. As a result, it cannot say that an organization is compliant (non-compliance can occur deep in the system), but it can say if an organization is not compliant simply by examining the parts that are visible over the internet.

    The firm concerned, ImmuniWeb (formerly High-Tech Bridge), has added GDPR scan components to its existing website security test, and made this a free offering. The four visible elements of GDPR compliance that it checks are access to the privacy policy, insecure use of cookies, outdated or vulnerable content management system (CMS) components, and lack of HTTPS encryption (or use of SSLv3, which is more than 20 years old and should have finally died with the POODLE attack in 2014).

    The results are surprisingly inconsistent across the different countries, and generally not very reassuring. However, website security and use of HTTPS are promising, with an average of just 6.75% and 5.96% failures. Greece is the worst nation for website security, with a 38% failure rate. Malta is worst on HTTPS with a 29% failing.

    It is difficult to draw clear conclusions from this survey — but two things do stand out. Firstly, not a single European country displays complete GDPR conformance across all its websites. Secondly, website operators seem to draw a distinction between security and compliance. Website security issues are given higher importance (an overall 6.75% failing) than cookie protection and privacy policy issues (78.25% and 51.5% failing respectively).

    Reply
  14. Tomi Engdahl says:

    Google faces Irish inquiry over possible breach of privacy laws
    Technology firm’s Ad Exchange processing of users’ personal data being investigated
    https://www.theguardian.com/world/2019/may/22/irish-statutory-inquiry-to-investigate-if-google-flouted-privacy-laws

    Reply
  15. Tomi Engdahl says:

    UK’s ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users
    https://techcrunch.com/2019/07/08/uks-ico-fines-british-airways-a-record-183m-over-gdpr-breach-that-leaked-data-from-500000-users/

    The UK’s Information Commissioner is starting off the week with a GDPR bang: this morning, it announced that it has fined British Airways and its parent International Airlines Group (IAG) £183.39 million ($230 million) in connection with a data breach that took place last year that affected a whopping 500,000 customers browsing and booking tickets online. In an investigation, the ICO said that it found “that a variety of information was compromised by poor security arrangements at [BA], including log in, payment card, and travel booking details as well name and address information.”

    The fine — 1.5% of BA’s total revenues for the year that ended December 31, 2018

    Reply
  16. Tomi Engdahl says:

    Marriott to face $123 million fine by UK authorities over data breach
    https://techcrunch.com/2019/07/09/marriott-data-breach-uk-fine/

    The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million ($123M) fine for a data breach that exposed up to 383 million guests.

    Reply
  17. Tomi Engdahl says:

    The big picture: Privacy laws, including Europe’s mammoth General Data Protection Regulation and California’s recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.

    Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.

    Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.

    He contacted around 150 companies, requesting her data via a fake email account in her name. 83 of the firms had her data, and roughly 1/4 of those provided it to him, no questions asked.
    “Companies are afraid under GDPR of telling you no.”
    — James Pavur

    Source
    https://www.axios.com/newsletters/axios-codebook-7869eb9d-4d90-4630-92ac-e3c5c90fd362.html

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*