Data Privacy Day as an important reminder of data protection obligations
Today is Data Privacy Day or Data Protection Day in Europe, a global effort to empower individuals and business to respect privacy, safeguard data and enable trust. Launched in 2006 by the Council of Europe, Data Protection Day takes place on 28th January each year, the date on which “Convention 108”, the Council of Europe’s data protection convention, was opened for signature. This year also marks the 40th anniversary of the Council of Europe’s ‘Convention 108′.
When it comes to data, we generate huge amounts of it, and modern organisations, from retailers to banks and social media networks, collect and manage this vast, ever-changing quantity of personal data, as well as leverage it as a strategic asset. However, organisations must adhere to rules when it comes to data managing and processing, as regulators take an even greater interest in protecting personal data privacy. A prominent example of this is the General Data Protection Regulation 2016/679 or GDPR, the primary law regulating how companies protect EU citizens’ personal data. However, beside GDPR organisations must keep up with privacy news and changing regulations. Let’s take a look at some notable changes and news.
New guidance on dealing with international transfers post-Schrems II
In July 2020, the CJEU invalidated the EU-U.S. Privacy Shield, which meant that the circumstances under which international data may leave the European Union became unclear. Later that year, in November, the European Data Protection (EDP) shared new guidance to help international organisations navigate global data flows. The EDP provided recommendations on supplementary measures as well as a second document on EU essential guarantees. Organisations should follow the provided plan to assess and protect global in accordance with EU law.
Finalisation of Standard Contractual Clauses or SCCs post-Brexit
For any business working with EU based clients or processing data with EU origins, the Schrems II decision invalidated the reliance on the EU-US Privacy Shield to transfer personal data to the US. Many US businesses are now reliant on Standard Contractual Clauses (SCCs) while we await new directives on what will be agreed to continue processing EU personal data. Now, post-Brexit, data transfers from the EU to the UK are permitted under a temporary extension while we also wait for either a similar SCC requirement or an adequacy decision.
Concerns over data privacy spark the restriction of foreign equipment within US infrastructure
The US continues to scrutinize foreign equipment, more specifically Huawei equipment due to data privacy and potential spying concerns. The US government banned the use of Huawei equipment in 2012. Huawei is also banned from US communications networks. However, the US is not the only country keeping Huawei under a watchful eye. In 2020, the UK government also announced the removal of Huawei from its 5G infrastructure, stating that the company’s devices and equipment should be removed by 2027. Sweden has also banned Huawei and Chinese rival ZTE from the country’s 5G rollout due to security risks. The government has given companies until 2025 to remove Huawei and ZTE gear from their infrastructure. Organisations impacted by these decisions should follow government guidance to ensure compliance with new regulations.
Cyber criminals compromise personal data to maximize pay-outs
Typically, during a ransomware attack, criminals encrypt and threaten to delete or never recover the organisation’s data. However, with the rise of double extortion attacks, while we’ll continue to see ransomware featured in attacks on businesses, as businesses become better prepared for recovering without paying a ransom, attackers can possibly publish the stolen data on leak sites, compromising privacy further. As organisations are responsible for the safekeeping of client, employee, customer and partner data, it’s crucial to follow the latest guidance on dealing with the double extortion threat.
As the amount of data and its value increases, it is crucial that organisations processing this data do so carefully. Individuals that provide their information to these companies entrust them with data that can be misused should it fall in the wrong hands, which can affect the organisation’s reputation. Not only that, organisations could also be subject to fines due to information mishandling. So, as the regulatory landscape changes and new threats enter the market, Data Privacy Day is a good reminder for organisations in all industries to comply with data privacy regulations and protect customer, employee, and partner privacy.