Hungary has suspended some elements of GDPR as part of its strategy for dealing with the Covid-19 pandemic. Having declared a state of emergency on 11th March, the authorities have been able to do this because they can govern by decree.
The decree suspending parts of GDPR was issued on 4th May, and also applies to Hungary’s own data protection laws.
Privacy News Online reports that specifically, authorities don’t need to provide notice about the gathering and storage of information if they are acting for the purposes of “coronavirus case prevention, recognition, exploration, as well as prevention of further spreading.”
Furthermore, citizens “no longer have the right to request access or erasure of their personal information and the government has given itself longer to respond to freedom of information requests.”
Lexology reports in greater detail that:
The government decree stipulates that data controllers’ measures under articles 15 to 22 of the GDPR as pertaining to personal data processed for the purpose of preventing, recognising and investigating the COVID-19 disease and stopping its spread are suspended until the termination of the state of emergency.
This is a concerning turn of events considering that the state of emergency has been made indefinite. Usually, a state of emergency would only last for fifteen days in Hungary and would need to be renewed by Parliament.
However, it was extended on 31st March and there is now no set end to it, allowing Hungarian Prime Minister, Viktor Orbán, to rule entirely by decree.
Suspending parts of GDPR in Hungary is therefore worrying to see. The law is relatively young and was viewed as a major step forward in protecting the rights and freedoms of EU citizens, but Hungary is already attempting to step back from it.
How Hungary’s relationship with GDPR will evolve after the pandemic has passed remains to be seen – but even then, there’s no guarantee that the declared state of emergency will come to an end.
Do you want to find out more about GDPR and your obligations under the law? Click here to contact us and discover how we can help you improve your compliance.
Home Office breaches of GDPR took place 100 times between 30th March and 31st August 2019, a report from the Independent Chief Inspectorate of Borders and Immigration (ICIBI) has found.
The breaches took place in relation to the EU Settlement Scheme, which accepts applications from EU citizens so that they can remain in the UK after Brexit. They included unauthorised disclosure of information, documents being sent to the wrong person, and passports being misplaced.
According to an article from Infosecurity, the breaches also saw “23 documents misplaced by a postal company in July” and an incident in April where “240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email”.
The article states the following from the ICIBI report:
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
The response from the Home Office was that its data protection measures and procedures are improving:
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
You can read the full article from Infosecurity here.
This demonstrates that human error is a big problem when it comes to data protection. As we learned at PrivSecLondon last month, it is responsible for 60% of all breaches.
This can and should be countered with training for all employees, at both the lowest and highest levels. A culture shift is also needed across organisations in order to keep up with evolving legislation.
If you want to make sure your employees are up-to-date and know their obligations under GDPR, check out our Staff Training offers, which are available in both in-person and online formats.
At the PrivSec London conference on the 4th and 5th February, we enjoyed hearing how leading professionals in our field are tackling the many shared challenges of doing business under the changing needs of the 2020s.
Here are some final thoughts from the event’s keynote speaker, Baroness Neville-Rolfe, and from ourselves…
Baroness Neville-Rolfe (Member, European Union Committee, and a former minister under David Cameron, who was heavily involved in negotiating GDPR) said that data is the “oil equivalent” of an extraordinary digital revolution.
This revolution is now affecting almost everything on the planet. The effects are impossible to predict, but like other revolutions, this one started slowly and is now picking up speed.
There were some interesting official statements made by government, EU, or other regulators which indicate:
- There’s an ever-growing concern about the harms of online activity (such as for young people, from fraud, and so on), which is being reflected in legislation and official guidances across the world.
- China’s big tech companies are catching up with the major US firms.
- The UK may be particularly exposed to cybersecurity threats.
- The management of risk has gone up the corporate agenda.
- EU rules provide a framework to recognise the reciprocity between the data standards of different countries, and the UK will fall inside that alignment thanks to our adherence to GDPR in the new Data Protection Act 2018.
Overall, PrivSec London 2020 was an extremely informative conference. The key things that we learned are:
- A culture shift is needed in most companies in order to keep up with changing legislation and guidelines. This includes planning for privacy and cybersecurity, getting buy-in across an entire organisation by explaining it in the business terms of each department, and only using data for transparent, legitimate reasons.
- Security and privacy are not the same thing, and pointing enquiries about privacy to security protocols is insufficient. It’s impossible to buy ‘compliance in a box’ as a solution to GDPR, which raised people’s awareness of the legal bases for processing data.
- Cybersecurity is a serious issue; the majority of passwords may already be leaked, and Multi-Factor Authentication is a necessity. Most problems are caused upstream by system and configuration issues or poor procedures, but most money is being directed downstream at the consequences, and there are huge skill gaps in the field.
What we can do for you about all this – check out our offers to find out how we can help you with your data protection programme:
- GDPR Consultancy and Project Management – From start to finish, we will help manage your data protection programme and provide all the advice you need to become compliant.
- GDPR Gap Analysis – Identify potential risks quickly and affordably, and set out clear recommendations of what will need to be done in order to comply with the law.
- Data Protection Officers as a Service – As well as helping implement the necessary changes in your business for GDPR, we may be able to help you save money managing your data protection and securing your reputation with your customers.
- Data Protection Staff Training – We can provide in-person or online support to teach your staff and contractors anything from the very basics of GDPR to the more advanced areas of the regulation.
Our thanks to the following guest speakers at PrivSec London 2020:
- Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
- Baroness Neville-Rolfe, EU Committee member
- Sheila Firtzpatrick, Fitzpatrick & Associates
- Dave Horton, Solutions Engineer at OneTrust
- Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
- Charlie Wijsman, Accenture Global Data Privacy Lead
- Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
- Alberto Quesada, Global Head of Group Data Management, BNP Paribas
- John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
Ben Hawes, Benchmark initiative
- Joan Keevil, Professional e-Learning Expert, SAI Global
- David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
- Stuart Aston, National Security Officer, Microsoft
- Greg Van Der Gaast, Head of Information Security, University of Salford
- Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester; Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa
The impact GDPR has already had shouldn’t be ignored. Between May 25th and July 3rd 2018, the ICO already received an immense 6,281 complaints concerning possible data breaches. This is a 160% increase on the same period in 2017, demonstrating how GDPR has raised awareness of how personal data is used and the protection regulations surrounding it – this is an issue that many people have taken to heart. But what about GDPR compliance after Brexit?
The United Kingdom may be leaving the EU on March 29th 2019, but that won’t mean the end of GDPR. Whether a deal is reached or not, the data legislation will still hold for British businesses. The European Union (Withdrawal) Act 2018 ensures that when Brexit comes into effect, GDPR will be incorporated into UK law – so fundamentally, GDPR compliance after Brexit will remain the same.
Anyone hoping to use Brexit to evade the ramifications of GDPR will be sorely disappointed. There will likely be some small changes to make GDPR fit the UK’s individual needs, leading to separate “UK” and “EU” versions of GDPR, but the framework will probably remain the same.
What does this mean for UK firms? Ultimately, GDPR compliance should still be a major focus. Once the UK leaves the EU, there will be little change to data protection regulation, meaning that the same measures need to be taken both pre- and post-Brexit. While the exact details remain to be seen, it is likely that data breaches will be treated in a similar manner, with near-identical penalties for data breaches.
There is an additional factor, however. With the UK no longer a member state, it’s uncertain whether data will continue to flow freely into and out of the EU. It’s important to keep an eye on how this issue develops; it will depend on the eventual deal between the UK and EU. It seems likely that a solution will be found, but companies should put safeguards in place for either eventuality.
Fundamentally, GDPR is here to stay. Brexit won’t change that, and with greater media attention on data protection, it’s at the forefront of everyone’s minds. The penalties for non-compliance are severe, and not to be risked.
For our help in ensuring GDPR compliance after Brexit and before, contact us today for our Gap Analysis and consulting. We also offer Data Protection Staff Training to improve the data protection knowledge and confidence of your employees.
News broke this week that a flaw in the Conservative Party’s conference app led to personal details being exposed to the public. The data included the phone numbers of high ranking politicians and officials such as Boris Johnson and Michael Gove, and reporters such as Sky News political editor Faisal Islam.
The incident shows how easy it is to run foul of data protection laws. Even at the highest levels of government, a simple mistake can lead to data being leaked. The Conservative Party may attempt to pass accountability onto the company that created the app, Crowd Comms, but this might not be enough as both are responsible for ensuring data security under the rules of GDPR.
Given the high profile nature of the breach, there are good reasons to be concerned. Several ministers received nuisance calls from members of the public, and there are other security issues. Other attendees – including a RAF squadron leader and a Met police officer – also had their data revealed.
Considering the high profile individuals and security issues involved, the ICO may look to fine both Crowd Comms and the Conservative Party. With GDPR only recently coming into force, it could want to set a precedent – as well as appear politically impartial.
Whatever the outcome, this is a deeply embarrassing incident for the Conservatives. The political fallout remains to be seen, but it shows how easy it is to run foul of GDPR. Note that the breach came from an app designed by a third party, but the Conservatives may still be liable.
You can find out more about the full story here: https://news.sky.com/story/senior-tory-mps-phone-numbers-exposed-in-app-flaw-11512323
If you’d like help assessing your own company’s requirements under GDPR, get in touch with us about performing a Gap Analysis to test your compliance.