30% of EU businesses fail GDPR compliance

30% of EU businesses fail GDPR compliance

EU flag - fail GDPR complianceA new survey of EU firms by RSM has discovered that 30% admitted that they fail GDPR compliance – and that a further 13% were not certain whether they are compliant or not. This leaves only 57% confident in their data protection processes.

This is worrying news given that it has been over a year since GDPR came into force. All of these organisations should have been prepared in advance, and ensured that they were compliant before 25th May 2018.

But because they fail GDPR compliance, they are putting themselves at risk.

As reported by Silicon:

It seems that there is no single issue to blame for non-compliance, but middle market businesses are apparently struggling to understand and implement a whole range of areas covered by the regulation.

 

The survey found that more than a third (38 percent) of non-compliant businesses do not understand when consent is required to hold and process data, 35 percent are unsure how they should monitor their employees’ use of personal data and 34 percent don’t understand what procedures are required to ensure third party supplier contracts are compliant.

 

The good news however is that despite the lack of compliance, GDPR is starting to have a positive impact on cyber security.

 

According to RSM, almost three quarters (73 percent) of European businesses say GDPR has encouraged them to improve the way they manage customer data and 62 percent say it has seen them increase their investment in cyber security. But alarmingly 21 percent of businesses admit that they still have no cyber security strategy in place.

You can read the full article here: https://www.silicon.co.uk/security/security-management/third-not-gdpr-compliant-272411

It therefore seems as if GDPR’s overall effect so far has been mixed. But with fines starting to appear thanks to GDPR – with British Airways recently receiving a record penalty of £183 million from the ICO – firms need to start taking their compliance more seriously.

We would always advise that data protection should be by design and default. Aside from the potential financial dangers of not being GDPR compliant, these firms are also risking a loss of trust from their customers and not being as efficient as they could be.

If you’re concerned that your organisation fails GDPR compliance, or want to further improve your data protection procedures and therefore your efficiency, click here to contact us today and find out more about our GDPR consultancy packages.

Concerns raised over how FaceApp uses data

Concerns raised over how FaceApp uses data

mobile phone - appsFaceApp topped the app download charts again this week, boosted by the popularity of its new ageing filter which allows people to see how they will look when they’re a few decades older.

However, concerns have been raised about how the app handles personal data – in particular, what access it has to user’s photos and how it makes use of them.

As reported by the Guardian:

These concerns have been heightened by growing awareness of online privacy issues in recent years and the fact that the developer is based in Russia, where many high-profile online misinformation campaigns have been based, in addition to a loosely-phrased privacy policy.

 

In the US, senior Democrat Chuck Schumer has urged the FBI to investigate, saying FaceApp could pose “national security and privacy risks for millions of US citizens”, according to a letter seen by Associated Press. He said it would be “deeply troubling” if sensitive personal information was provided “to a hostile foreign power actively engaged in cyber hostilities against the United States”.

 

The FaceApp CEO, Yaroslav Goncharov, said only a single picture specifically chosen by the user would be uploaded from a phone and the app did not harvest a user’s entire photo library, a claim backed by security researchers.

You can read the full report from the Guardian here: https://www.theguardian.com/technology/2019/jul/17/faceapp-denies-storing-users-photographs-without-permission

Despite the attempt at reassurance from Goncharov, there are still reasons to be worried about FaceApp. Many apps are still harvesting user data; La Liga was recently fined $280,000 under GDPR for using its mobile app to spy on users and try to stop piracy.

And with FaceApp having been developed in Russia, which as the Guardian stated, has been where “many high-profile online misinformation campaigns have been based”, there’s even more reason to be concerned.

If you’re uncertain about your own organisation’s obligations under GDPR, Activa Consulting are here to help. Contact Us today to find out how we can improve your compliance!

Facebook will be fined $5 billion for Cambridge Analytica Scandal

Facebook will be fined $5 billion for Cambridge Analytica Scandal

The US data regulator, the Federal Trade Commission (FTC), has announced that it intends to fine Facebook $5 billion for its part in the Cambridge Analytica Scandal.

The fine that Facebook received from the UK’s ICO , coming pre-GDPR, was a mere £500,000 – but despite this being a huge amount more, many feel that it’s inadequate.

Here’s what Dave Lee, the BBC North America technology reporter had to say about it:

 

Facebook had been expecting this. It told investors back in April that it had put aside most of the money, which means the firm won’t feel much added financial strain from this penalty.

 

What we don’t yet know is what additional measures may be placed on the company, such as increased privacy oversight, or if there will be any personal repercussions for the company’s chief executive, Mark Zuckerberg.

 

The settlement, which amounts to around one quarter of the company’s yearly profit, will reignite criticism from those who say this amounts to little more than a slap on the wrist.

You can read the full news report here: https://www.bbc.co.uk/news/world-us-canada-48972327

It’s notable that the fine was only just passed by the FTC by 3 votes to 2, with those voting against it stating that it was insufficient, even though it would be the biggest ever brought by the FTC against a tech company.

Perhaps the most shocking thing is that Facebook shares actually rose 1.8% at the news, with investors receiving the news positively.

The debate will go on, but many will continue to think that Facebook got off lightly with just a $5 billion fine. If this had come under GDPR, it would likely have been in a great deal of trouble.

As it is, a mere £500,000 from the ICO – a record at the time, until the recent British Airways fine of £183 million – seems hardly worth mentioning.

We weren’t scaremongering. BA’s £183m GDPR fine should alarm every business.

We weren’t scaremongering. BA’s £183m GDPR fine should alarm every business.

So, those of us who warned how profoundly dangerous a GDPR fine could be for businesses two years ago weren’t wrong – we were among the very first to recognise the implications and it’s now clear that the game has changed and if either your GDPR compliance, or cybersecurity, are compromised it can bankrupt your business. The first major GDPR fine – £183 Million – yes you read that right – is now public. Contact [email protected] for quick, comprehensive guidance. (more…)

Metropolitan Police hit with ICO enforcement notices

Metropolitan Police hit with ICO enforcement notices

met police data fineThe ICO has issued two enforcement notices against the Metropolitan Police Service, stating that its data protection failures have been “systematic”.

It’s a requirement of GDPR that all Data Subject Access Requests (DSARs) are responded to within one month, but the Met Police have struggled to keep up with the sheer volume they’ve received.

As reported by CBR:

Suzanne Gordon, Director of Data Protection Complaints and Compliance at the ICO wrote: “The MPS has failed in its data protection obligations by not responding to SARs within a calendar month and we have issued two enforcement notices ordering the MPS to respond to all requests by September 2019.”

 

A Metropolitan Police spokesman told Computer Business Review: “We are taking the enforcement notices very seriously and regret failing to meet our obligations.”

You can read the full article here: https://www.cbronline.com/news/metropolitan-police-ico-gdpr

The Met Police now has until the end of September to resolve this issue or else be hit with a fine by the ICO. However, the chief issue here is the lack of awareness about its obligations and the measures taken to meet them.

While the 500 DSARs it receives each month is a considerable volume to deal with, this should have been anticipated before GDPR ever came into force.

Furthermore, once it became clear that its current systems were insufficient, it should have changed its procedures to meet those obligations.

If you’re worried about meeting your own data protection obligations or are unsure what they are, get in touch with us via the Contact Form here or by emailing [email protected]!