Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of increasing GDPR sanctions and fines in Germany in the near future.
With the coming into effect of the GDPR on 25 May 2018, the modernisation of European privacy laws has reached a critical milestone. Hogan Lovells has updated our guide “Future-proofing privacy,” which aims to be a useful starting point for organisations seeking to understand the GDPR and comply with it. Twenty-four authors from 10 European Hogan Lovells offices have contributed their knowledge, efforts, and advice to compile a unique resource of practical guidance. We have identified the key issues and explained why they matter. Crucially, we have approached the new framework with a practical mindset, providing concrete suggestions for actions to take now.
On September 13, the U.K. government introduced in Parliament the Data Protection Bill. The main aim of the bill is to implement the General Data Protection Regulation (EU) 2016/679 into U.K. domestic law. However, as perhaps reflected in the length and complexity of the bill, it is also intended to do several other things. This post outlines key observations on the structure and content of the bill.
500 German companies will be asked in the coming weeks by 10 German data protection authorities to complete an extensive and detailed questionnaire about their transfers of personal data to third countries. Companies must indicate how they ensure an adequate level of data protection for such data transfers. The questionnaire also covers the use of cloud services provided by U.S. entities. The enquiry and the questionnaire (but not the list of targeted companies) were published by the German DPAs on 3 November 2016.
Earlier this week, Bret Cohen and Sian Rudgard from the Hogan Lovells Privacy & Cybersecurity practice were interviewed as follows by Varonis’ The Inside Out Security Blog about data security requirements in the EU General Data Protection Regulation.
Part 12 of Future-Proofing Privacy: Security is a Critical Piece. Security is a critical piece of the data protection jigsaw. Lack of consumer confidence has been identified as a key risk for the development of the digital single market, and a series of high profile breaches has exacerbated the situation. So it was inevitable that data protection reform would need to demonstrate that regulators were serious about data security and the Regulation does this by introducing three critical changes: obligations to have appropriate security in place will apply directly to data processors for the first time; there will be mandatory reporting of data breaches to data protection authorities; and there will also be mandatory reporting of data breaches to data subjects in certain situations.
Part 8 of Future-Proofing Privacy: Data Processors’ New Obligations. The Regulation will impose a number of compliance obligations and possible sanctions directly on service providers. This is a significant change as currently service providers do not have any direct obligations to comply with EU data protection law (their obligations derive from their contracts with controllers). Future proof deals being negotiated now. Controllers and processors should carefully document the responsibilities of the parties and specifically take into account the forthcoming changes when deciding on providing consent for subprocessors, pricing, security standards and risk allocation.
A number of data protection authorities around the globe have issued press releases confirming their involvement in the 2016 global privacy “sweep”, which kicked off on April 11th. This year’s initiative involves a coordinated investigation by 29 DPAs into the practices of internet-connected devices, such as fitness and health trackers, thermostats, smart meters and TVs and connected cars. The work is being coordinated by the Global Privacy Enforcement Network under the leadership of the UK Information Commissioner’s Office.