To read the latest update (August 2021) to The Periodic Table of Data Privacy, click here. 

The Data Privacy Periodic Table continues to be well-received and widely shared and commented upon. Since our last update in January, data privacy has barely left the news.

Proposed fines have been awarded to some of the biggest brands, including British Airways (£183.4m) and Marriott Hotels (£99m – announced 24 hours after British Airways), AI and automation commentators continue to debate how to progress within the boundaries of Privacy by Design, and there have been constant updates to new local and national draft laws.

The British Airways fine in particular is interesting as it represents only 1.5% of BA’s turnover, far behind the maximum 4% that the GDPR permits. To the casual observer it therefore seems a light penalty, but in fact it is probably a carefully chosen figure – more than enough to provoke shock and awe across the industry and media, but not so high as to be easily challenged. It’s also a far cry from the £500,000 that the ICO’s powers used to permit, continuing the trend of Supervisory Authorities being willing and perhaps eager to use their powers to punish the most grievous and negligent offences.

And so to this update of the Data Privacy Periodic Table. While data privacy has largely been kept at the forefront of our minds by brash headline-grabbing fine announcements, the changes on this occasion are conversely driven more by the subtleties of the laws themselves.

The updates
Changing “Controller” and “Processor” to “Owner” and “Executor”

When we first launched this project in September 2018, we were determined to make sure it reflected the wider privacy world and was not just a Periodic Table of the GDPR. This is harder than it sounds, despite the principles of the GDPR appearing to be reflected in almost all national privacy laws drafted since.

As new laws have been drafted since, it has become clear that the terminology of “Controller” and “Processor” (elements #40 and #41) has become too specific, though not unique, to the GDPR. The roles and demarcation are very common, but the names are not consistent.

For instance, the draft Indian privacy bill describes a role that is ostensibly the same as that of a GDPR Controller, and names it “data fiduciary”. Hong Kong uses the term “user” (which has created enormous confusion in client engagements when discussing collecting the data of website visitors or SaaS platform customers!), and the CCPA refers to “service providers”.

We therefore felt that “Controller” was becoming too GDPR-centric and have changed it instead to “Owner”.

For some, this will be appear to be unwise wording. After all, the central ethos of data privacy is that the data subject is the ultimate owner of their personal information, and not a brand who simply holds a record of it. However, we wanted to use a term that conveys an obligation to oversee the treatment and physical safety of the data – in other words, they are not the owner of the data (that will always be the data subject), but the owner of the responsibility.

Meanwhile, for the same reasons of GDPR-centricity, we have changed “Processor” to “Executor”.

We considered “Agent” but it risked being too easily confused with “Controller” / “Owner” who is often said to have “agency over data”. Plus it suggests being in the direct and total control of the Controller, which is not accurate.

We considered “Proxy”, but we felt it implied too much control over the decision-making.

And we considered “Intermediary”, but it didn’t feel quite representative of all types of data exchanges between the two parties.

“Executor” meanwhile is a sufficiently recognised legal term to be understood, while striking the right balance between performing a role that is instructed at a high level, but that also allows suggests enough freedom in the performance of the role to bear some responsibility.

Data Protection Impact Assessments vs Privacy Impact Assessments
A big conversation currently is the difference between a Data Privacy Impact Assessment and just a Privacy Impact Assessment. GDPR requires DPIAs, while the industry has always been accustomed to PIAs, and has mistakenly conflated the two.

So, what’s the difference?

We could spend thousands of words on this, but in brief terms, a PIA is a process that privacy teams use to assess how changes to the business affect the overall privacy strategy, impact Privacy by Design, and whether they create new risks.

Meanwhile a DPIA is more targeted, both at an individual process, and on the impact on the data subject. The two processes certainly overlap, but they also have different aims. They should both be performed, in tandem, with any change to the business – but by no means should one replace the other. Accordingly, we have split them out in the table, as elements #27 and #28.

To make room, we combined “Suppliers” and Partners” in the bottom half of the Central Components of Data Privacy section, where various types of data subject are listed, to create a new element, “Third Parties”.

“Data Protection Officer” now “Privacy Officer”
Just as with Controller and Processor above, we feel that the GDPR-centric title of Data Protection Officer “DPO” hasn’t become universal, or even as commonly used as anticipated.

Russia does use the term, as does the Indian privacy bill, but Brazil’s draft for example simply refers to “Privacy Officers” whose roles are arguably more akin to CISOs, especially given there’s no requirement to avoid conflicts of interest. The CCPA has no requirement for the role at all, although commentators are widely recommending that having one would be best practice regardless.

In essence, there is too much variety in nomenclature, and even in the exact requirements or necessity of the role itself, for us to continue to use DPO as it is commonly understood. We have therefore switched it to “Privacy Officer” (element #39), intending it to refer simply to an internal supervisory role where the rights (ethical as well as legal) are represented within the business. Whether an organisation is compelled to appoint one or not, it is surely prudent to have such oversight in place.

Replacing ICANN with US States
The ICANN saga (element #114 in the Future Developments section) appears to have reached something approximating a conclusion – for now at least. As of May, the WHOIS directory has been redacted and access is now controlled. And while conversations continue over whether this affects anti-terrorism efforts and the like, and a long term solution is still being sought, there is unlikely to be major change for some time.

We are replacing this with an area of far greater disorder and confusion – the various privacy laws of the US’ individual states. Three states – Nevada, Maine and California – have passed their local laws (though see our previous update as to why we are still keeping the CCPA in Future Developments rather than Core Legislation), and as many as 11 have bills in progress, and five have been toppled in some way, including Hawaii’s that was vetoed only a few days ago.

As many know, there is talk of whether these states’ bills will create enough pressure for a single federal bill to be introduced, but for now, and perhaps for quite a while yet, we suspect the states will have to continue to handle data subject protection themselves.

(As a side note, did anyone notice our deliberate use of USSs for this element, not be confused with USSS, the United States Secret Service – an ironic potential confusion for this topic!)

As always, let us know of any suggestions, disagreements or recommendations. This is an open and live project that actively seeks input and is regularly updated as things change.

From huge GDPR fines to alleged privacy trends for 2019, our roundup blog covers the top 5 stories about data privacy you may have missed this year so far.

They are not necessarily the articles with the biggest headlines, most surprising stats or even necessarily the most well-known. But taken together, these 5 stories paint the clearest picture of where the privacy world sits right now.

1- Data Privacy – will it be as in vogue as it was in 2018?

This article on TechRadar discusses that while privacy was simultaneously an exciting but also chaotic topic in 2018, this year, will we see a decline in interest or will it remain as high on the agenda?

The answer is most likely, “yes, it will remain on the agenda, but for different reasons”.

The main thrust of the privacy news cycle in 2018 was simple – GDPR’s arrival, the confusion it caused, especially in relation to Brexit, and the domino effect it had globally, as more and more countries adopt their own very similar legislation.

But in 2019, the emphasis shifts. Now we are talking about its enaction and extension.

Big brands are being hit with hefty fines, theoretically being held up as examples to all businesses of the seriousness with which Supervisory Authorities are dealing with transgressions. While this will be true for some, many smaller companies are thinking they can hide under the radar. This is just one of the many misperceptions that we highlight in our Tales from the GDPR Frontline – a collection of anecdotes of the mistakes and oversights that our Privacy team has noticed amongst our clients.

As for its extension, this article also highlights the change in privacy conversation from GDPR to ePrivacy i.e. the storage of data, the use of cookies and electronic communications. In codifying privacy rights and requirements, GDPR has created a foundation on which to build, and it seems the specifics of ePrivacy (see the long-running conversation over the Regulation’s timeline in particular) will be one of the first new building blocks.

2- Tech Tent: Facebook’s Planned Privacy Pivot

In this article and supporting Podcast, Rory Cellan-Jones, technology correspondent for the BBC, notes how times have changed. Gone are the days where people openly share every detail of their lives on social media, and in particular, on Facebook. Instead, consumers are increasingly concerned about where their data is being stored and how it’s being treated.

Facebook, over recent years, has been accused and found guilty of mishandling its customers’ data regularly, and has been late to the game in adapting to the changing mentality of “privacy-first”.

After a number of scandals Facebook’s CEO, Mark Zuckerberg, has announced in a blog post that the company is changing the way it thinks about privacy and how it wants to implement stronger privacy controls, and make Facebook a “privacy-focused platform.” This in the face of its track record:

I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform — because frankly we don’t currently have a strong reputation for building privacy protective services. But we’ve repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories. 

But this BBC article was not chosen to show how Facebook has changed. The point is wider than that. The world view of privacy and acceptable use of data has changed dramatically, and for some, too quickly. Facebook and Google will not be the only ones to suffer from this. Businesses of all sizes, and even execs and department heads, that have grown accustomed to practices that are not strictly privacy-first will find this new world cumbersome, obstructive and frustrating, making the prudent and balanced introduction of Privacy by Design principles vital to their ongoing success.

3- Google GDPR fine shows ‘embarrassing’ extent of how firms misuse people’s data

Nearly a year on since GDPR came into effect, over 200,000 cases have been reported resulting in €56 million in issued fines. An article on this remarkable statistic is available here, and arguably this should have made the top five stories, but there is one fine that stands out the most.

In January, the most significant GDPR fine to date was issued to the technology giant, Google. CNIL, the French regulator, issued the €50 million (£44 million) fine after receiving and investigating reports on how Google handled people’s data.

They found that Google had “not sufficiently informed” people on how it collected their data and a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. Rather than go into the details here of what the decision teaches the privacy industry and wider business, check out the blog post written by our Director or Data Ethics and Privacy, Sophie Chase-Borthwick.

Moreover, it looks like this is the tip of the iceberg. Ron Moscona, a partner at international law firm Dorsey & Whitney, states “The penalty imposed on Google by the French regulator can be seen as a warning shot at the digital industry at large.”  And, with complaints filed against Amazon, Apple, Netflix and Spotify, we’re sure to expect to see some hefty fines hitting the headlines soon – notwithstanding the point made above: it won’t be just the big brands.

4- Consumer Data Privacy: Why We Need A (Single) Federal Law

Building on the point made in the first article, and the domino effect that GDPR had, this article argues that the United States needs to follow the EU’s footsteps and enforce a national data protection law that all businesses and organizations would need to adhere to.

When GDPR was enforced, it prompted numerous discussions of data privacy regulations across the US, resulting in California being the first state to act. The California Consumer Privacy Act (CCPA) was adopted in June 2018 and is set to become state law on January 1st 2020 (although there are proposals afoot that could impact that).

As it currently stands, this new law enables Californian residents to have the right to know what personal information businesses collect, from where they got the data from and how it will be used. It also makes it easier for consumers to file lawsuits against companies who suffer a data breach, prompting more organizations to start pre-emptively examining their data privacy and security processes.

Privacy is clearly a rising tide, but with more and more legislation likely to come to the fore, adherence for companies whose activities cross national borders, whether by virtue of employees, customer base or suppliers, will become increasingly confusing.  This is what triggered our Data Privacy Periodic Table project – an ongoing and regularly updated collection of the key points, or “elements”, of data privacy.

5- Data privacy doesn’t mean data security – Here’s how to protect your business

This article from Verdict raises one of the most important, but often forgotten, points of data privacy. The relationship between data privacy and infosecurity, and the equal importance of both.

The exact nature of it is constantly debated. Do they overlap? Are they symbiotic? Does one underpin the other? Or is one a sub-discipline of the other? Regardless of the outcome – which may vary from business to business anyway – one thing is clear: they are not the same.

We find that many of our clients, prior to working with us, considered robust infosecurity disciplines and infrastructure synonymous with privacy, or alternatively, they considered the two unrelated.

We take infosecurity’s role in privacy extremely seriously. In fact, our privacy teams comprise as much infosecurity experience as legal expertise. No matter what your personal views on the debate, one thing is certain: when it comes to the protection of data subjects’ data, both fields are equally important. So much so that breaches of any description will always point to failings in both fields.

Last week, CNIL, the French data protection agency, handed Google the largest ever GDPR penalty (€50m) for its lack of transparency in how it collected and used personal data for personalised advertising.

This is of course a landmark case in the implementation of GDPR. Importantly, it also shows that despite fears pre-May 2018, European DPAs will not be perturbed by the legal resources that some of the biggest companies in the world have at their disposal – despite the entirely predictable appeal that Google lodged almost immediately.

But the case also raised two interesting points for privacy professionals: a debate over bias in which cases are pursued by DPAs, and how the “one stop shop mechanism” is applied in practice.

1. Is there bias in which cases DPAs pursue?

Within many of the CNIL-Google media reports, there were accusations that CNIL showed nationalist bias in punishing US-based Google, while not displaying the same zeal in pursuing French or European organisations for similar offences. Others added that this case was a classic example of many European DPAs’ “anti-big” bias – a tendency to go “headline hunting” and target the biggest brands in order to demonstrate a dedication to protecting data subjects.

But these accusations miss the point.

If there is a conscious “anti-big” bias in data privacy (which would be no surprise given wider geo-political trends), then that bias sits predominantly with the data subjects, not the data protection authorities.
A DPA will rarely begin a case of its own volition. Faced with limited proactive investigative resource, DPAs are alerted to potential foul play by receiving complaints from data subjects, and on examination of their merits and the seriousness of the offence(s), may initiate proceedings.

Perhaps unsurprisingly, since GDPR’s go live, almost every European DPA has reported large numbers of data subjects objecting to the ways in which the likes of Google and Facebook have collected and used their data. These high numbers of complaints will be an unavoidable effect of being some of the largest companies in the world – as any missteps will impact more people – but also a function of the underlying but growing “anti-big” popular sentiment and mistrust of large enterprise.

Clearly any DPA in such a situation will feel compelled to prioritise the cases attracting the greatest outcry – especially in the face of inevitable media attention, and regardless of the data subjects’ possible bias or of the nationality of the alleged offending company.

Secondly, this particular case was originally brought by two lobbyists: La Quadrature du Net (LQDN), who acted on behalf of more than 10,000 data subjects, and NOYB, a very powerful privacy pressure group that is headed by no less than Max Schrems, who made his name in privacy by bringing a case against Facebook that led to the invalidation of Safe Harbour. No DPA could realistically deprioritise a genuine case brought to them by these two bodies, especially when supported by hundreds of additional individual data subjects.

So to answer the question above, yes there could well be a trend in how DPAs pursue some cases over others. But the bias actually sits mainly with the data subjects – and those bodies that represent them en masse – and their apparent own eagerness to retaliate against “big”.

2. The “one stop shop mechanism” in practice

This is a question of which DPA leads actions brought against companies. The “one stop shop mechanism” within the GDPR dictates that where an organization has entities in multiple EU countries, the DPA of the country where the organization’s “main presence” is located shall lead the proceedings.

The role of “leading proceedings” means being the sole authority that the organization needs to deal with and respond to, while also requiring the chosen DPA to collaborate with the DPAs of other affected countries before making any decisions.

There was a fear that this might lead to “DPA shopping”, as organizations who suspected actions may be brought against them could theoretically move their main presence to a country whose DPA is more lenient or less proactive.

However, this case has shown that this – fortunately – will not work. It was deemed that despite any theoretical role in Google’s organizational structure, Google’s EU HQ in Ireland could not be considered the European data controller as it did not have decision-making powers over how data is processed. Being a controller is a prerequisite for the “one stop shop” rule to apply, and in the absence of a central European controller anywhere else, all of Google’s European entities were deemed to be data processors, making all European DPAs, including CNIL, equally free to bring actions.

This goes back to the main theme of our blog a couple of weeks ago about the Uber decisions, and how DPAs will determine organizational liabilities based on actions, not titles – a theme we will no doubt see again and again and that companies need to be aware of.

But despite Google and Uber both being fined in the last couple of months, don’t fall into the trap of believing that DPAs are only interested in targeting the largest companies. We are seeing plenty of actions being brought against smaller companies whose actions have affected large numbers of data subjects.

In fact, this mistake is one of the falsehoods of GDPR that we uncovered in our popular download, the 10 Myths and Fairy Tales of GDPR.

We offer a range of privacy services –  ‘privacy-first’ data management consultancy and specific data privacy regulations assistance, and importantly, GDPR services. 

Every year since 2006, the privacy industry has celebrated Data Protection Day, or as it became known outside Europe, Data Privacy Day

The day typically marks an opportunity for experts from the worlds of business, academia, consultancy and lawmakers to announce collaborations, hold crucial debates and work together to drive the privacy industry forward.

Arguably, privacy’s most vital next step is to make implementations of new policies and processes as successful as possible. The awareness stage is over – the dramatic rise in legislation in recent years and months is testament to that. As is the degree of attention that the media and its audience is paying to it. But the nature of the stories that the media is most often reporting shows us what the next step is: making the execution of new privacy-first strategies as unobstructive as possible.

In the related field of infosecurity, it has long been lamented that the easiest way to guarantee a breach is to make your processes and policies so frustrating that your workforce circumvent them. Privacy is the same.

Too many times have we seen reports of businesses completing their privacy audits, implementing new policies, but ‘frontline’ teams nonetheless either actively or naively bypassing them and falling foul of privacy legislation.

So our contribution to Data Privacy Day is aimed to help the industry better understand the nuances of privacy – not only in terms of what it requires, but also in terms of how to deliver it successfully.

We have built a dedicated resources page for Data Protection Day, including downloadable guides and observations from real-life client scenarios. We have also updated our famous Data Privacy Periodic Table with new legislation and future developments to be aware of, especially for today.

In the meantime, Happy Data Protection / Privacy Day!

Data Privacy News: What’s in a name? What the Uber fines teach us about local data privacy enforcement

The Uber data breach of 2016 is creating quite the ripple effect.

Most obviously, the hack’s revelation, and the media furore that accompanied it, caused numerous boards and management teams to ask the dreaded question of their data security teams, “Could this happen to us?” And many answers will have been sheepishly and concerningly in the affirmative.

But the ramifications go far beyond the reignited cybersecurity question. It has also highlighted an interesting legal point – and one that is often overlooked.

Uber 2016 data breach timeline – edited highlights

The Uber data breach of 2016 is creating quite the ripple effect.

Most obviously, the hack’s revelation, and the media furore that accompanied it, caused numerous boards and management teams to ask the dreaded question of their data security teams, “Could this happen to us?” And many answers will have been sheepishly and concerningly in the affirmative.

But the ramifications go far beyond the reignited cybersecurity question. It has also highlighted an interesting legal point – and one that is often overlooked.
October and November 2016 – Uber is hacked through a vulnerability in GitHub (an online resource for developers) which led them to Uber’s AWS login credentials. 57 million customers’ and drivers’ names, email addresses and mobile phone numbers are exposed, along with the driving licence and journey details for the 600,000 drivers affected. Uber conceals the hack and pays the hackers $100,000 to delete the data.
November 2017 – breach is revealed by Bloomberg and confirmed by Uber. Joe Sullivan, Chief Security Officer, and one of his deputies are fired for their roles in the cover-up, which was also known about by the then CEO, Travis Kalanick. Dara Khosrowshahi, who had taken over as Chief Executive Officer in the previous September, pledges transparency for the future.
May 2018 – GDPR comes into force, meaning the breach can only be penalised under pre-existing data protection laws, not GDPR.
July 2018 – Uber announces former Intel chief privacy and security counsel Ruby Zefo as Uber’s first Chief Privacy Officer and TomTom’s ex-VP for Privacy Security, Simon Hania, joins Uber as its first DPO.
September 2018 – US court fines Uber $148m as part of a legal settlement, avoiding a public court case in an action brought by 50 US states and the District of Colombia.
November 2018 – British and Dutch regulators impose fines on Uber of £385,000 ($490,760) and E600,000 ($678,780) respectively. Uber said in a statement, “We’re pleased to close this chapter on the data incident from 2016.”
December 2018 – the French Data Protection Authority fines Uber E400,000 ($460,000).

The events of November and December of last year are signalling a very interesting pattern that data privacy professionals need to take careful note of.

The Dutch regulator, the Autoriteit Persoonsgegevens, has ostensibly taken the lead on this case on behalf of all of Europe, on the basis that Uber’s European presence is headquartered in the Netherlands.

However, it is the way that the UK Information Commissioners Office (ICO) and the French Commission Nationale de l’Informatique et des Libertés (CNIL) have acted that has sparked the most interest. Not only have they fined the Dutch HQ for the impact of the breach on their own respective citizens, but they have also taken the additional steps of fining the local entities separately.

Why is this important?

Because Uber tried to prevent exactly this happening with its carefully worded intra-company agreements. In these documents, each of its local corporate entities were named as mere “processors” of personal data, not “controllers”, meaning under pre-GDPR legislation, they could not be held ultimately liable, nor fined.

But the French and British regulators disagreed. They ruled that the deciding factor was not how the corporate entity was named or considered by Uber’s internal privacy structure, but how they acted in practice. And because they performed the role of a local data controller, they could be held responsible for their part in the local infringements (such as not reporting the breach to the relevant regulators within 72 hours), just as the European headquarters could be fined for its role in the wider offences (such as failing to identify and rectify the vulnerability itself).

In other words, role-based liability comes down to how you act, not what you call yourself.

Lawyers will not find this ruling surprising at all. This is a standard tenet of common law.

However, many privacy professionals are not necessarily so experienced in the way the law works. Those companies whose privacy teams are experts in technology, security and policy, and not law, may overlook the need to ensure that the way their local offices operate reflects what the privacy structure expects, creating legal vulnerabilities in the process.

This is presumably exactly what has happened to Uber. Rather than their legal and privacy team trying to pull off a ruse based on a technicality, it appears that there is a clear mismatch between what the privacy structure anticipated of the local entities’ roles and how they acted in reality.

As we have said in these Data Privacy news blogs many times before, data privacy is a multi-faceted discipline, and far more complex in practice than many realise.

Privacy Shield is an EU-instigated unilateral agreement that obliges the US to protect the personal data of US citizens that came into force on 1 Aug 2016.

It’s fair to say that since then, Privacy Shield has not been considered the lighthouse of data privacy law. The history of US corporate observance is far less than positive. But this is perhaps unsurprising given its original construction lacked a legal foundation or punitive measures – as MEPs and the wider privacy industry and media have repeatedly and forcefully bemoaned.

Privacy Shield is required to be reviewed each year, during which it can be revoked if it’s not performing or being adhered to, and last month saw Privacy Shield’s second annual review.

Shaky ground?

As the review approached, there were various theories that Privacy Shield would indeed be suspended or even cancelled by the EU Commission in response to the US’ underwhelming response to the 10 recommendations (or perhaps demands) made by the EU this time last year.

One of the key requirements was new senior appointments to the PCLOB (Privacy and Civil Liberties Oversight Board), an independent agency headed by a board of at least three, ideally five, bipartisan members and designed to ensure personal privacy is not infringed in anti-terrorism activity or legislation. These appointments have been slow to say the least. A chair was appointed almost immediately, but two further senior members were only nominated in March and were for many months yet to be confirmed. Indeed, just before the review, a coalition of 31 organisations even called for faster action on this, noting that the PCLOB had only had a full senior complement for 4.5 of its 11 years!

MEPs also resented the US refusal to include Presidential Policy Directive 28 within FISA when it was reviewed at the end of 2017. This would have required US surveillance activities to safeguard all personal information, regardless of the individual’s nationality. This was rejected, and so the EU requested (and is still waiting for) evidence that FISA is not indiscriminately collecting data in direct violation of the EU’s Charter on Fundamental Rights.

Progress made

All of this said, it seems that this review may have resulted in some notable developments – ones that may save it from being suspended, cancelled or embarrassingly ignored.

The official report is due before the end of the year, but there have already been announcements of practical progress. For example, three PCLOB members were appointed on 12 October (one week before the review), creating a total of four, with one resignation pending and two further nominees before the Senate for approval.

Also, an acting Privacy Shield Ombudsperson was appointed in late September. Granted, this was also overdue and required after the first annual review a year ago, but Manisha Singh, a previous Undersecretary for State, now heads up the focal point for EU citizens to direct their complaints about the US Government’s treatment of their personal data. This appointment has been welcomed by the EU Commission, although judging by the language in the official press release, it is still a source of frustration for the EU that a permanent appointment is still outstanding.

Almost hidden in that same release however was a seed of something potentially rather significant:

“Among other things, the Commerce Department will revoke the certification of companies that do not comply with Privacy Shield’s vigorous data protection requirements.”

This is a new development, and assuming it is carried through in practice, it answers one of the main criticisms about Privacy Shield – its lack of enforcement. It also marks a notable change for the 4,000-odd companies registered with them.

Previously, Privacy Shield has been viewed by many as a tick box exercise. Companies would simply upload their privacy policies, pay a fee and then be self-certified. No third party had to be involved to verify the policies or their performance. Clearly, this was hardly robust.

If companies will now need to demonstrate compliance to the requirements of Privacy Shield, and by extension, create and follow more robust privacy policies and procedures, then for many this will result in a marked increase in effort to protect EU citizens’ data.

There may still not be the threat of financial fines, but active statements of enforcement are a marked improvement on the past. Revocation of certifications will most likely depend on complaints and whistleblowing, and it is true that the Federal Trade Commission has in two years only received four complaints of companies’ false or lapsed compliance. But GDPR and other national privacy legislation has heightened society’s and companies’ scrutiny of how data is collected, shared and used, meaning more objections are likely, in turn making the possession or loss of the certification more important.

We may well see revoked certifications having dramatic commercial impacts on those companies whose ability to tender for, or continue to hold, certain contracts depend on them holding that certification. For a few, that revocation may even be more dangerous than the fines possible under GDPR, and we all saw how those potential penalties spurred the global business world into action.

Of course, we have to wait and see what actually happens. Privacy Shield will most likely live to see another day, or year. The above warning will lead to either a serious change in how Privacy Shield operates and companies treat it, or the criticism of “toothlessness” will continue. The imminent report will reveal all, but it certainly appears that the wheels are in motion to require companies to go to a great deal more effort with Privacy Shield than they have before.

Data privacy in the UK has hardly been a quiet topic in recent months, but there have been two news stories from the last few weeks of particular note. They are each remarkable individually. Put side by side, they show a trend that is more thought-provoking than the sum of their parts.

It was announced in late September that Equifax was to be fined £500,000 by the UK ICO after hackers stole 15 million UK citizens’ various personal details and records last year. The vulnerability occurred because security patches were negligently overlooked by Equifax’s IT team. Even more galling is that only a couple of months previous, the business was warned by US Homeland Security that their infrastructure was not secure.

The £500,000 fine is the heftiest sum that the ICO could impose under the pre-GDPR Data Protection Act 1998. And to think that this is the same ICO that only a few years ago was frequently criticised for being unwilling to impose serious fines for data breaches. Even after 2010, when it was first empowered to issue financial penalties, it rarely “went big”. In those first five years, it only levied £7m of fines.

Largely, and perhaps in fact admirably, this was due to a policy of preferring support and collaborative remediation over fines. After all, many feared that fines would be considered by the largest businesses – and the ones that could do the most damage to the public’s privacy – as an acceptable risk of doing business, leaving illicit or unethical processes unchanged. Proactively helping businesses to respect subjects’ privacy without damaging their own productivity, and without threats, was seen by the ICO as the better way to deliver on its core goal – effecting real change amongst UK businesses.

This ethos was regularly reported as set to continue after the introduction of GDPR. Before its arrival, the ICO took great pains to push a strong message that the GDPR was a catalyst for them to work even harder to protect UK citizens’ data by ensuring businesses were using personal data legitimately – and not that it was a weapon to be brandished. Unless in the most serious circumstances.

This exception was reiterated by Emma Martins, the Data Protection Commissioner for Guernsey, when she exhibited the exact same mentality in our GDPR Interview Series, published before the GDPR May date. In it, she was quoted as saying:

 “The vast majority of processors and controllers want to do the right thing, so if we help them do so, we will all benefit. Having said that, we are going to be ready to implement the legislation if and when we need to. We of course should be seen to correctly address the serious breaches and that is certainly what we will do where necessary and appropriate.”

And so we come to the formal notice from the ICO to AggregateIQ, issued the day after the Equifax penalty was reported.

Both organisations committed their key transgressions before May 2018. But while Equifax’s errors were confined to a point in time in 2017, AggregateIQ not only profiled and targeted voters on behalf of Vote Leave during the Brexit referendum campaign in 2016, it then continued to process the data after May this year. This brought the case under the GDPR, and its far heavier penalties. AggregateIQ is appealing the notice, but the industry speculation is that the largest possible fine of E20m (or 4% of global turnover) is being considered.

In years gone by, the ICO was considered relatively benign. For some, even the two-pronged message of preferring to support rather than fine, unless forced to, was considered an opportunity to shirk difficult decisions. The cases deemed serious enough for headline-grabbing fines would be few and far between, and so the GDPR would remain little to worry about.

That no longer rings true. The Equifax incident has shown the ICO’s appetite, courage and determination to impose punitive measures. AggregateIQ will doubtless reinforce this. It is irrelevant whether the ICO is driven by its mission or by public pressure (and I personally think it is the former) – the net effect is that businesses will have to re-examine the legitimacy and ethics of their processing of UK citizens’ personal data.

The GDPR is only a law. It requires a body to enforce it, and the ICO is clearly up to the challenge.

Concern about the strict new General Data Protection Regulation continues to focus on security at expense of data privacy

93% of companies are worried about the storage of their data in the cloud after the General Data Protection Regulation (GDPR) and 91% are concerned about how the new rules will affect cloud services, according to new research from Calligo, a world-leading cloud solution provider.

IT decision-makers report inadequate levels of sponsorship from the C-suite despite the General Data Protection Regulation deadline next May

69% of board-level executives are neglecting to ensure the UK businesses they run will comply with the General Data Protection Regulation (GDPR), according to new research from Calligo, a world-leading cloud solution provider.

The figures were in a survey of 500 IT decision-makers in companies with more than 100 employees and £15 million turnover, examining how businesses are preparing for the new regulation.

Only 31% of respondents said they had governance sponsorship for GDPR at board level, while just 9% said their compliance departments were giving them full support. This lack of interest at the top level comes despite more than six out of ten (62%) respondents agreeing that the new regulation would affect the profitability of their business, including 19% who said the impact would be negative.

“It is worrying to see signs that GDPR governance does not have the full attention of so many C-level executives,” said Julian Box, CEO, at Calligo. “Too many of those at the top think it is all about security, when that is only a part of it.”

“The deadline for compliance is May 25 next year and any company that subsequently fails to handle data in the correct manner risks the severe penalties stipulated in the regulation. The top people in every organisation need to get to grips with this challenge, ensuring that their data is being stored and handled in full compliance.”

The survey found that only 43% of companies have appointed and resourced a Data Protection Officer, despite this being a requirement of the GDPR for medium-sized and larger businesses. In IT and telecoms, the figure is just 37%, while in manufacturing and utilities it is just 36%.

On average, organisations said they will employ 10 people on the task of achieving GDPR compliance, with healthcare sector proving the most committed, devoting an average 26 employees. This compares with averages of nine in IT and telecoms and four in arts and culture.

Calligo is an expert in the General Data Protection Regulation, which comes into force next year and which will standardize the protection of personal data of EU citizens.