European Data Protection Supervisor Predicts Sanctions Coming Soon for Violations of General Data Protection Regulation

Regulators in the European Union could impose sanctions for violations of the General Data Protection Regulation (GDPR) as soon as by the end of 2018, according to European Data Protection Supervisor Giovanni Buttarelli. According to a Reuter’s news report, Butarelli said in an interview, “I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban, or to give them an ultimatum.” Regulators in France and Italy report a 53 percent increase in complaints about violations over last year, Buttarelli said, adding that enforcers have seen a sharp…

READ MORE

GDPR Compliance: Special Challenges for Small and Medium-Sized Organizations

The EU’s General Data Protection Regulations (GDPR) came into effect on May 25, and companies collecting and maintaining even limited data about residents of the EU must comply. A U.S.-based company conducting only 5 percent of its business with European customers is still obligated to follow GDPR rules. But GDPR requirements are challenging to meet, and because smaller companies may have limited resources they risk falling short of requirements and facing the law’s serious sanctions of up to 4% of global revenue. But there are steps small and medium-sized enterprises can take to comply and limit their exposure to regulatory sanctions. What’s the Challenge for Small and Medium-sized…

READ MORE

Not Just for Large Multinationals: U.K. Information Commissioner’s Office and Article 29 Working Party Issue GDPR Guidance for Small Businesses

Smaller companies take note – the U.K. Information Commissioner’s Office (ICO) and the Article 29 Working Party have highlighted that all companies must comply with the General Data Protection Regulation (GDPR) regardless of size, and recently issued special guidance for smaller businesses. The GDPR, a law that places new obligations on organizations that collect and process data about European residents, comes into effect May 25, 2018. In a recently published set of FAQs, the ICO addresses key issues raised by the GDPR in the context of small businesses, including criteria for imposition of monetary sanctions; security; determining whether your organization is a processor or controller under the terms…

READ MORE

Singapore Joins the Accountability-based APEC System

While companies work to comply with the General Data Protection Regulation (GDPR), the European law that takes effect on May 25, it is important to remember that countries in other parts of the world also are adopting new approaches to information privacy protection. Companies that plan to do business in new markets should take note of these and understand that the steps they take to comply with the GDPR – particularly with respect to accountability – can lay the groundwork for compliance in other regions. On March 6, 2018, Singapore’s Ministry of Communications and Information announced that Singapore has joined the APEC Cross-border Privacy Rules (CBPR). The APEC CBPR system…

READ MORE

New Guidance about Transparency: Notices Must Be Accurate, Clear and Easy To Locate

Important guidance about the General Data Protection Regulation’s (GDPR) transparency requirements has been released from Europe. The Article 29 Working Party, an advisory body that oversees data protection in the EU, issued a paper that provides practical guidance and clarity about the obligations of data controllers with respect to informing individuals about the collection, use and protection of their data. The GDPR requires that notices must: be concise, transparent, intelligible and easily accessible (Article 12.1); use clear and plain language (Article 12.1); the requirement for clear and plain language is of particular importance when providing information to children (Article 12.1); be provided in writing “or by other means, including where…

READ MORE

CFTC Imposes $100,000 Penalty for Failure To Supervise IT Provider

On February 12, 2018, the Commodity Futures Trading Commission (CFTC) issued an order requiring AMP Global Clearing, a registered Futures Commission Merchant (FCM), to pay a civil penalty of $100,000 due to its failure to diligently supervise its IT provider in implementing AMP’s Information Systems Security Program. The order came after a third party was able to gain access to AMP customer records without authorization through a vulnerability in AMP’s network. The vulnerability had not been detected in three consecutive quarterly network risk assessments, despite the fact that security breaches resulting from similar vulnerabilities—including a number that occurred on network devices manufactured by the same manufacturer as AMP’s—had…

READ MORE

U.S. Regulators Convene Workshop on Privacy Risks and Harms

Compliance with the European Union’s General Data Protection Regulation (GDPR), scheduled to take effect in May 2018, has taken center stage for companies. But it is important to remember that regulators in the U.S. continue their own work to protect the privacy interests of consumers. The Federal Trade Commission (FTC) took the spotlight on December 12, 2017, when it hosted a one-day workshop titled “Informational Injury” in Washington DC. The event brought together a variety of stakeholders – including industry representatives, consumer advocates, academics and government researchers – to discuss issues related to the injuries consumers suffer when information about them is misused. In opening remarks, Acting FTC Chairwoman…

READ MORE