Belgian Data Protection Authority Publishes Review of Post-GDPR Activity

The Belgian Data Protection Authority (Belgian DPA) published a review of its activities in the six months since the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018. This early report offers a window into the impact of the GDPR on companies, the public and the activity of at least one regulator’s office.  The review, available in French and Dutch, notes that since the GDPR came into force, the Belgian DPA has received 317 data breaches, most of which were reported from the health care sector, insurance companies, public institutions and defense, telecommunications and postal services, and financial services companies. The Belgian DPA has received…

READ MORE

Data Regulators Focus on Artificial Intelligence and Data Ethics at Annual International Meeting in Brussels

Achieved Compliance attended the 40th Annual International Conference of Data Protection and Privacy Commissioners which convened this year in Brussels. This meeting is the largest and most significant gathering of data protection authorities in the world. It provides an important window on the status of data protection law and regulation, the impact of new technology on privacy and what is top of mind for regulators. While companies continue to grapple with the requirements of the General Data Protection Regulation (GDPR), which took effect in May of this year, the law did not take center stage at the annual meeting of regulators. Instead, the focus of this year’s conference was artificial…

READ MORE

European Data Protection Supervisor Predicts Sanctions Coming Soon for Violations of General Data Protection Regulation

Regulators in the European Union could impose sanctions for violations of the General Data Protection Regulation (GDPR) as soon as by the end of 2018, according to European Data Protection Supervisor Giovanni Buttarelli. According to a Reuter’s news report, Butarelli said in an interview, “I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban, or to give them an ultimatum.” Regulators in France and Italy report a 53 percent increase in complaints about violations over last year, Buttarelli said, adding that enforcers have seen a sharp…

READ MORE

Belgian Privacy Commission Issues Recommendation on Data Protection Impact Assessments

An important aspect of the General Data Protection Regulation (GDPR) that may be new to companies is the requirement set forth in Articles 35 and 36 that they conduct data protection impact assessments (DPIAs) when embarking on new data processing activities. While some organizations may have experience with DPIAs, often referred to as Privacy Impact Assessments in the United States, many may be unfamiliar with how they should be carried out and what data protection authorities look for when they review them. Companies may find help in the Belgian Privacy Commission’s Recommendation on Data Protection Impact Assessments and the prior consultation requirements provided for by Articles 35 and…

READ MORE

GDPR Compliance: Special Challenges for Small and Medium-Sized Organizations

The EU’s General Data Protection Regulations (GDPR) came into effect on May 25, and companies collecting and maintaining even limited data about residents of the EU must comply. A U.S.-based company conducting only 5 percent of its business with European customers is still obligated to follow GDPR rules. But GDPR requirements are challenging to meet, and because smaller companies may have limited resources they risk falling short of requirements and facing the law’s serious sanctions of up to 4% of global revenue. But there are steps small and medium-sized enterprises can take to comply and limit their exposure to regulatory sanctions. What’s the Challenge for Small and Medium-sized…

READ MORE

The Importance of Article 27: Identifying a Representative in Europe

The General Data Protection Regulation came into effect on May 25. In an effort to comply, companies of all sizes have been taking steps to meet requirements. Mapping data, appointing staff to lead data protection work in the organization, reviewing and updating security, developing data governance programs – businesses are investing time and resources to understand and meet GDPR expectations. What is often lost in this flurry of activity is an understanding of GDPR’s Article 27 – a provision that requires that companies that are not established in the EU, but that collect and process personal data about residents of the EU, appoint an EU-based representative. The EU…

READ MORE

New Guidance for Companies that Transfer Data from the EU to the U.S.

The Article 29 Working Party has recently released several new documents of interest to companies that collect and process data about EU residents and who move data from the EU to the United States. First, the Working Party released “Recommendations on the Standard Application for Approval of Data Controller or Processor Binding Corporate Rules for the Transfer of Personal Data.” Binding Corporate Rules (often referred to as BCRs) are one mechanism available to companies to support the legal transfer of data outside the European Economic Area. Article 45 of the GDPR requires that data transferred to a country which has not been deemed to provide an adequate level of data…

READ MORE

Not Just for Large Multinationals: U.K. Information Commissioner’s Office and Article 29 Working Party Issue GDPR Guidance for Small Businesses

Smaller companies take note – the U.K. Information Commissioner’s Office (ICO) and the Article 29 Working Party have highlighted that all companies must comply with the General Data Protection Regulation (GDPR) regardless of size, and recently issued special guidance for smaller businesses. The GDPR, a law that places new obligations on organizations that collect and process data about European residents, comes into effect May 25, 2018. In a recently published set of FAQs, the ICO addresses key issues raised by the GDPR in the context of small businesses, including criteria for imposition of monetary sanctions; security; determining whether your organization is a processor or controller under the terms…

READ MORE

Singapore Joins the Accountability-based APEC System

While companies work to comply with the General Data Protection Regulation (GDPR), the European law that takes effect on May 25, it is important to remember that countries in other parts of the world also are adopting new approaches to information privacy protection. Companies that plan to do business in new markets should take note of these and understand that the steps they take to comply with the GDPR – particularly with respect to accountability – can lay the groundwork for compliance in other regions. On March 6, 2018, Singapore’s Ministry of Communications and Information announced that Singapore has joined the APEC Cross-border Privacy Rules (CBPR). The APEC CBPR system…

READ MORE