Achieved Compliance Approved for Participation in Privacy Shield: Program Essential to Any Company Moving Data from the EU to the U.S.

Achieved Compliance is pleased to announce that it has been approved to participate in the EU-U.S. “Privacy Shield” program. The Privacy Shield provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. The Privacy Shield updates the Safe Harbor regime that had supported data flows between the jurisdictions since 2000. As a participant in the Privacy Shield, Achieved Compliance meets all EU legal requirements for protection of data about EU citizens. Companies that use Achieved Compliance software and services can rest assured that we are committed to protecting data…

READ MORE

You Can’t Outsource Liability for Failure To Protect Data – Fine Issued for Negligence in Overseeing a Vendor’s Performance

If a recent decision of the French Data Protection Authority (CNIL) is any indication, companies can expect that data protection authorities will hold them responsible for ensuring that the vendors they contract with can secure and protect the company’s personal data. On July 27, 2017, the French Data Protection Authority (CNIL) fined the Hertz Corporation €40,000 when information about approximately 35,000 users was exposed to inappropriate access because of the negligence of a vendor in charge of designing the Hertz France website. The privacy office’s enforcement committee July 18 held that Hertz failed to meet its data security obligations. The enforcement audit of the company’s website determined that a…

READ MORE

UK Authority Warns Small Companies: “Data Protection Laws Apply to You” Fining an SME £60,000 for Failing To Take Basic Steps

The UK Information Commissioner’s Office sent a clear signal last month that it is paying close attention to the data protection measures taken by small and medium sized companies. In a statement published June 27, 2017 titled “Warning to SMEs as firm hit by cyber attack fined £60,000” (i.e. about $80,000 U.S.), the ICO announced an action against Boomerang Video, a small Internet company based in Berkshire, England, for failure to take appropriate steps to secure customer information. ICO enforcement manager, Anne Poole said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.  “If a company is subject to…

READ MORE

You Are Making Promises in Your Privacy Policy – False or Misleading Statements Can Lead to the Payment of Damages

A new privacy law signed last month is a reminder that data protection and privacy are not just issues for companies who must comply with the EU’s General Data Protection Regulation (GDPR). In the United States, regulators at the state level are turning their attention to companies who collect and use personal information – and they are putting in place their own rules about how it should be protected and managed responsibly. A newly signed Oregon law is an example of how states are moving towards interpreting unfair competition laws to cover statements make in a privacy policy. This trend has been seen in many states. California, Connecticut,…

READ MORE