56% of marketers feel GDPR has positively affected their email marketing campaigns
Increased consumer trust in brands has improved customer engagement for email marketing. This article cites a DMA report stating that consumers’ trust in brands has grown within a year of implementation of GDPR. The rules have also made 41% of consumers feel more confident about how brands handle their data…
Josef. K the protagonist of Kafka’s novel ‘The Trial’ was an ambitious and successful banker prior to his unexpected arrest. The criminal charges brought against him were never explained because they were beyond the comprehension of all but the most senior judges. Attempting to understand his guilt, consumed K’s every thought – he was distracted at work, subservient to his lawyer and…
It’s hard to believe we’ve almost reached the one-year anniversary of the date the General Data Protection Regulation (GDPR) went into effect. Leading up to that May 25, 2018 date, news headlines were dominated by fear, uncertainty and doubt over whether organizations would successfully comply in time…
Only One of Every 395 Data Breach Investigations has Led to a Fine
Out of 11,468 self-reported data breaches (just 0.25 percent) investigated by the ICO between May 25, 2018 and March 2019, only 29 have led to a fine. However many of the fines were issued for breaches that had occurred before the GDPR came into effect…
Children and GDPR: protecting children’s data online
Protecting children’s data online must come to the forefront of GDPR enforcement following violations of child privacy online. It has been a year since the General Data Protection Regulation (GDPR) came into force. Last May we saw businesses scrambling to get their houses in order realising the hefty fines they could face and others burying their heads…
Following a complaint, the Information Commissioner’s Office (ICO) has launched an investigation into HMRC for GDPR discrepancies.
The tax collector had apparently collected large amounts of biometric data in the form of voice recordings. The Voice IDs were used to speed up incoming customer calls and required individuals to repeat the phrase “my voice is my password” to register, which could then be used to confirm their identity as they manage their taxes. What the problem was though, was that users had no choice to opt-out.
After concluding its investigation the ICO decided on not imposing a fine as it was judged that the infringement was not likely to cause any persons “damage or distress”. But they have served the HMRC with an enforcement notice, for which the cost of non-compliance may reach £17 million or 4% of their global annual turnover.
This is the first enforcement action taken in relation to biometric data since the advent of GDPR, which for the first time, specifically identifies biometric data as a special category data that requires greater protection.
Out of 11,468 self-reported data breaches (just 0.25 percent) investigated by the ICO between May 25, 2018 and March 2019, only 29 have led to a fine. However many of the fines were issued for breaches that had occurred before the GDPR came into effect.
This information was summarised by research conducted by security platform Digi.me. They have also found that since the effective date of the GDPR data subjects have raised 37,798 data protection concerns. Additionally the research showed that the sectors that have been the cause of data breach investigations were the health and education sectors.
On this issue, Julian Ranger, founder of Digi.me says:
“There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.
“Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organisation that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”
Bins returned to GPO after An Post reassured that litter is not in breach of GDPR rules
All public bins have been returned to the GPO after An Post was reassured that any litter collected in the premises would not be subjected to GDPR laws. Over the past number of months, customers and visitors to the historic building were unable to dispose their litter within the building…
Passwords may be a small part of GDPR requirements, but they also represent the easiest way to gain unauthorized access to personally identifiable data. To help organizations follow GDPR data privacy compliance, the Information Commissioner’s Office (ICO) has updated its guidance to provide password recommendations under GDPR. ICO oversees the …
Unencrypted USB devices are still being used by businesses despite the fact that unsecured data could lead to GDPR fines. According to a survey by the global security company ESET, and Kingston Technology, a world leader in technology products, 55% of business don’t encrypt their removable devices, leaving them vulnerable to data breaches…
Can Blockchain Aid Facebook’s User Data Protection Woes?
Following the news last week that Facebook could be fined up to $5 billion by the US Federal Trade Commission (FTC) for its huge privacy breach, TFT asked Modex, the blockchain smart contract marketplace, CTO Alin Iftemi to weigh in on the social networks user data protection…
UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs
Her Majesty’s Revenue and Customs, aka the tax collector, has agreed to delete five million voice recordings it used to create biometric IDs. The Voice IDs were used to speed access to its phone line but were created before the implementation of the European General Data Protection Regulation (GDPR) and fell foul of the tougher rules…
Italy’s data protection authority (the Garante) issues its first GDPR fine to the Rosseau platform operating the Italian political party 5-Star Movement (Movimento 5 Stelle) websites.
The platform named Rousseau has been running websites affiliated to the Italian political party Movimento 5 Stelle as a data processor. In 2017 the platform had suffered a data breach which led to a requirement from the data protection authority of the implementation of a number of security measures including an obligation to update their privacy notice.
While the latter was updated, the platform failed to implement several key GDPR security measures. The platform used an outdated content management system that was vulnerable to cyber attacks. The application had several authentication related weaknesses, including unsalted hashes and weak passwords, lack of an audit logging practice, especially of administrative access, as well as deficiencies in tamper protection for logs. Other deficiencies include failure to comply with best practices (more particularly anonymisation) for e-voting systems.
The Rousseau platform that is the processor and not Movimento 5 Stelle that is the controller was found in violation of Article 32 of the GDPR for the lack of appropriate technical and organisational measures and was issued a 50,000 EUR fine. This sets an interesting precedent as for the first time, a data protection authority hasn’t considered the data controller as liable for the actions performed by the data processor.
The Data Protection Commissioner has launched a probe into Facebook password storage when an error left hundreds of millions of user passwords exposed in an internal plain text file. The passwords were accessible to as many as 20,000 Facebook employees and some of these passwords dated back as early as 2012…
A Rear-View Look at GDPR: Compliance Has No Brakes
Bulgaria’s Commission for Protection of Personal Data in key stance on media reporting
Bulgaria’s Commission for Protection of Personal Data has issued its opinion on personal information that the media can lawfully publish after the commission was approached on the question by a company at the centre of a controversy about the acquisition of apartments by politicians…
The Data Protection Commissioner has launched a probe into Facebook password storage when an error left hundreds of millions of user passwords exposed in an internal plain text file. The passwords were accessible to as many as 20,000 Facebook employees and some of these passwords dated back as early as 2012.
The social network made the public aware of the breach when they resolved the issue in March. The DPC confirmed it had been notified by Facebook of the incident and has started an inquiry, to determine whether GDPR laws have been breached.
“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers,” the authority said in a statement.
“We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR.”
Facebook’s internal investigation into the matter found no evidence that anyone outside the company got hold of the passwords, or that they were abused by staff.
The GDPR stipulates fines of up to 20 million EUR or 4% of the annual turnover, whichever is higher. Based on Facebook’s turnover of more than $55bn last year, they can be looking at a fine as high as $2.2bn (€1.97bn) if the DPC decides that GDPR laws have been breached. It is also important to note that this is one in the line of many investigations launched by the Irish watchdog into Facebook and it’s subsidiary companies Instagram and WhatsApp.
Denmark’s Data Protection Authority Datatilsynet (DPA) issued their first GDPR fine to the taxi company, Taxa 4×35 (Taxa) for violation GDPR data retention periods.
Taxa weren’t adhering to the data minimisation principle of the GDPR because they were over-retaining personal data long after the provided retention periods. While they had deleted customers’ names and addresses after two years of retention, they still kept customers’ telephone numbers for an additional three years, arguing that telephone numbers were an essential part of their IT database and weren’t able to delete them at that time. This was disputed by the Danish DPA, arguing that this explanation didn’t justify the serious breach of data privacy laws.
Taxa’s attempts at anonymisation were also found to be inadequate. Anonymisation optimally makes certain information impossible to connect to the person it belongs to but in Taxa’s case the information could still be linked to their customers through their phone numbers.
The DPA recommended a fine of 1.2 million kroner, approx. €160,754, which amounts to approx. 2.8 % of the company’s annual turnover. While this still doesn’t match the GDPR’s standard of such a fine (4% annual global turnover) it shows that DPA’s are taking matters seriously. While this fine is only a recommendation, the DPA noted that Denmark’s police and courts “generally tend to be in line” with regulators’ proposed penalties.
The UK Home Office Reports Itself to the ICO after Accidental Data Breach
The Home Office has reported itself to the UK data protection authority after accidentally sharing the emails of hundreds of EU citizens applying to stay in the UK after Brexit. While contacting applicants facing technical difficulties while trying to apply to keep their rights in the UK after Brexit, the department had failed to mask the addresses in a...
I’m not a huge fan of stories about stories, or those that explore the ins and outs of reporting a breach. But occasionally I feel obligated to publish such accounts when companies respond to a breach report in such a way that it’s crystal clear they wouldn’t know what to do with a data breach if it bit them in the…
ICO Opens Consultation on Code of Practice to Protect Children’s Privacy
n 12 April 2019 the Information Commissioner’s Office opened the consultation on 16 standards concerning the protection of children’s privacy that online services must meet. The draft of the code was first introduced by the Data Protection Act 2018, now named “Age appropriate design: a ...
Bounty Pregnancy Club fined £400,000 for Illegal Data Sharing
The Information Commissioner’s Office (ICO) issued a fine of £400,000 for careless data handling of 14 million people’s data (34.4 million records) with 39 organisations between June 2017 to April 2018…
The Information Commissioner’s Office (ICO) issued a fine of £400,000 for careless data handling of 14 million people’s data (34.4 million records) with 39 organisations between June 2017 to April 2018.
The ICO investigation found that the company gathered information through its website and mobile apps, merchandise packs and they have previously been criticised for sending sales reps to target new mothers in their hospital beds shortly after childbirth. The information that was shared included personal information such as the birth date and gender of children and as stated by the regulator, “likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children.”
“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into the data broking industry and organisations linked to this,” said Steve Eckersley, ICO director of investigations.
Following the ICO’s findings, the company has said that they have reformed their data handling processes.
“In the past, we did not take a broad enough view of our responsibilities and as a result, our data-sharing processes, specifically with regards to transparency, were not robust enough”, said Bounty’s managing director, Jim Kelleher.