Windows 10 News and info | Forum
February 28, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: GDPR enforcement is on fire!  (Read 11 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 31106

I Do Windows

WWW Email
« on: February 03, 2020, 09:16:15 PM »

You read that right: GDPR enforcement is on fire! While fines are not always particularly high, our analysis shows that, in terms of volume, data protection authorities (DPAs) are rapidly increasing their GDPR enforcement activities. Some interesting trends are also emerging:

• DPAs have levied 190 fines and penalties to date. With 43 enforcement decisions made so far, Spain leads the pack as Europe's most active regulator, followed by Romania (21) and Germany (18). The UK has imposed the highest total amount of fines -- more than €315 million -- if both British Airways' and Marriott's fines are upheld after appeal. Following are France's Commission Nationale de l'Informatique et des Libertιs, with just over €51 million in fines, and Germany's DPA, at nearly €25 million.

• Failures of data governance -- not security -- trigger the most fines and penalties. DPAs have primarily acted against the infringement of Article 5 (principles of processing of personal data) and Article 6 (lawfulness of processing). These rules contain key data governance principles, such as data accuracy and quality, and fairness of processing, when firms collect and process the minimum amount of data necessary for a specific, clearly defined purpose. Firms struggle greatly to meet the requirements around consent and other available legal bases.

• Breaches get the enforcement ball rolling but are just a starting point. Many security and risk (S&R) and privacy pros expected security infringements and missed breach notifications to be the main triggers of GDPR enforcement. DPAs have undertaken about 50 actions for infringement of article 32 (security requirements) and a few more related to failure to report breaches. These cases show that an actual security incident is just the starting point for determining fines. Investigations that followed some of the biggest breaches of the post-GDPR era focused not only on the specific conditions of the breach but also highlighted "poor security arrangements." Adequate authentication procedures -- or the lack thereof -- have been DPAs' focus since the first enforcement action in 2018.

• Compromised data from a single customer can be expensive. DPAs evaluate the impact of a breach, not just its volume. For example, Spain's data protection regulator fined two telco providers, each of which had an issue with a single customer. One telco erroneously disclosed the credentials of a third party to a customer, allowing the customer to gain access to sensitive third-party data. This single event cost the provider €60,000. The DPA fined another telco provider almost €40,000 for processing the data of a single customer without their consent. A hospital in Germany was also fined €105,000 for GDPR violations associated with the misuse of data of a single patient.

• Failure to respect individuals' rights will lead to the next wave of fines and penalties. Forrester expects the next enforcement wave to come from failing to address individuals' privacy rights. Most current enforcement actions refer to data access requests and data deletion. For example, a German property company that -- among other issues -- archived customer data in a way that didn't allow for data deletion was fined €14.5 million. Enforcement to date has primarily come from customer requests, but enforcement actions from employee requests are also increasing. Bulgaria's Commission for Personal Data Protection fined an employer for a delayed and incomplete response to an employee's access request.

• Third-party risk management is the next big thing in the privacy arena. Third-party risk management is nothing new to S&R and privacy pros, but they're only now starting to see how third parties affect their privacy program. Third parties that don't follow the same privacy policies you do can destroy not only your privacy program but also your brand, your customers' trust, and your partner ecosystem. From vendors to subcontractors to data suppliers to the partners you share data with, it's evident that third-party risk has far-reaching implications for privacy. Current due diligence practices are not going to cut it. Don't be caught off guard. Instead, look for ways to blend technology, cross-functional knowledge and data, and external insights with your S&R peers to automate third-party management for privacy.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page February 05, 2020, 03:50:02 AM