The GDPR, Year II

By on May 26, 2020

With children, reaching the age of two is usually the change from a beautiful newborn to a moving creature that has reached the terrible twos.

It may be that the same is happening to the General Data Protection Regulation as it approaches the mark of its second year of enforcement: Data Protection Authorities (DPAs) seem to be paralyzed by limited budgets, a lack of resources, and most DPAs consider that the GDPR is not fully enforced. The Brave report issued by the Brave Community, a forum where people who care about the internet and their browsing experience come to discuss with each other, typically shows that only five of Europe’s 28 national GDPR enforcers have more than 10 tech specialists.  Half of EU GDPR enforcers have limited budgets (under €5 million), leading some/many/advocates? to believe that European governments have failed to properly equip their national regulators to enforce the GDPR. Recently, Brave even called on the European Commission to launch an infringement procedure against EU Member State Governments for failing to implement Article 52(4) of the GDPR, which provides that “Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers […]”.

Beyond enforcement challenges, the GDPR has gone through some major crises: first with Brexit and then with the outbreak of the COVID-19.

Though terrifying for many people, Brexit was handled relatively easily through a transition period, which goes until 31st December 2020, during which UK organisations are bound by two laws: the EU GDPR and the UK DPA (Data Protection Act 2018).

The EU GDPR will no longer apply directly in the UK at the end of the transition period. However, in reality, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit, and with insignificant differences between the EU GDPR and the proposed UK GDPR. In short, organisations that process personal data should continue to comply with the requirements of the EU GDPR and doing so will meet the obligations in the UK as well. The only thing left to consider is to what extent the EU Commission will issue an adequacy decision in favour of the UK.

The second major crisis is the COVID 19 pandemic, which presented new challenges, among them new tracing apps,  the explosion of the use of remote workers at controllers, processors, and subprocessors, and questions about how employers ensure the health and safety of their workforce without compromising a data subjects privacy rights.  Additionally, hacker activity has been unprecedented, causing a sudden “mass exodus” home and (personal) data protection risks. “It’s like we’ve kicked over a hornet’s nest,” says Raj Samani, chief scientist at McAfee.

Data breaches are not limited to the ones resulting from hackers, but also by a simple data loss such as a corporate USB stick. Remote working weakens IT security for unprepared companies; vendors in some jurisdictions and in some roles did not have infrastructure in place to properly continue to offer their services after stay-at-home orders.

    • using inadequately secured private or mobile devices (lack of antivirus software, out-of-date operating system software, no encryption solutions, etc.) or using an unsecured Wi-Fi network;
    • using popular free messaging and meeting applications;
    • using social media platforms for business purposes;
    • not using VPN and other corporate solutions;
    • having no back-up plan;
    • lack of video surveillance
    • the proliferation of other people, Siri and Alexa and other listening/sensing devices

With respect to physically securing data

  • risk of loss during transfer of documents;
  • not adapting space at home for remote work purposes, making it possible to damage equipment or have sensitive documents stolen

With respect to the organization

  • having no fundamental business continuity measures in place and having no back-up equipment;
  • low awareness of employees where threats related to personal data protection were previously focused on risks present in normal work.

The threats are numerous, but mitigating the risk is not impossible and can still be done:

  • Draft (or update) a remote work policy and make sure there are processes around remote working. This might be a part of an existing Acceptable Use Policy or it might be a standalone document.
  • Inform your employees of the minimal security requirements for devices and networks they use, and have technical measures to ensure that your workforce is adhering to these requirements
  • Limit your employees to sanctioned messaging and meeting software and train your employees about how many popular applications may not provide for an adequate level of data protection and are usually not intended for business purposes.
  • Train your employees about why privacy and security are important generally.
  • Make sure the devices use the latest antivirus software and that employees have a VPN solution available when required by policy or their activities.

COVID-19 has marked the end of the World as we knew it before. Our lives may be impacted forever with new work styles, unprecedented cybersecurity issues, innovative policies, new hygiene rules and so on. The fight against COVID-19 is not just for the organisation, employees or customers but a joint effort from everyone. Obviously, organizations will need to rethink their cyber risk management in the Post COVID-19 and should not forget along the road the rules and the frame set by the GDPR whilst rebuilding the World After.

The GDPR has proved to be a robust tool to guide companies, officials and public health authorities in the response to the COVID-19 crisis and allocating the DPAs across the EU with increased financial and human resources will allow them to address the large number of complaints whilst it is up to the European Commission to ensure no human rights are violated.

 

About the Author

Noémie Weinbaum

LL.M, CIPP-E, Admitted to the Paris Bar since 2003 With nearly 20 years of experience in Information Technology Law and Privacy, amongst which ten spent in the sector of Finance as the Deputy Head of Legal Shared Services for Natixis, Noémie holds a long record in negotiating complex deals in international and regulated contexts, and ...

Read more posts from Noémie Weinbaum

Categories: Data Security

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs