ENISA launches security mapping tool

The European Union Agency for Cybersecurity (ENISA) has been supporting the European Union (EU) Member States in developing, implementing and evaluating their cyber security strategies. Since 2012 and as part of this support, ENISA has been developing tools, studies and guidelines to help EU Member States build on their national cyber security strategies. The latest of these developments, launched on 28 November 2019, is a security mapping tool for operators of essential services (OES) and digital service providers (DSPs) in the energy, banking, health and digital infrastructure sectors, helping them comply with their obligations under the Network and Information Systems Directive 2016/1148 (NIS Directive).

Below we take a closer look at the new security mapping tool.

Continue Reading

A snapshot comparison of data protection certifications in Singapore

Increasingly, businesses are looking to adopt data protection certifications and standards for myriad reasons, including enhancing consumer trust, demonstrating compliance when contracting with partners and managing regulatory risk.

We have prepared a high-level comparison to guide Singapore businesses in determining which certification or certifications could be the best fit.

ISO/IEC 27701:2019

Who can apply: All organisations, private or public, regardless of size and for-profit status. Data controllers and processors/intermediaries are eligible to apply.

Features: The ISO/IEC 27701:2019 standard provides a data privacy extension to ISO/IEC 27001:2013 Information Security Management and ISO/IEC 27002:2013 Security Controls. It extends their requirements to take into account, in addition to information security, the protection of privacy of individual consumers as potentially affected by the processing of personal data.

The annexes to the standard list the applicable controls for data controllers and processors, and map the provisions of the standard against the EU General Data Protection Regulation (GDPR), amongst other things.

Continue Reading

The EBA releases its final ‘Guidelines on ICT and security risk management’ report

Last week (28 November 2019), the European Banking Authority (EBA) released the final version of its report entitled ‘EBA Guidelines on ICT and security risk management’ (the Guidelines) (link here) on the mitigation and management of financial institutions’ (FIs) information and communication technology (ICT) and security risks. We highlight below some of the key takeaways.

Background

The EBA released a previous version of the guidelines back in 2017. The Guidelines will incorporate and repeal the 2017 guidelines once the Guidelines come into force on 30 June 2020. The Guidelines are also intended to be read alongside the guidelines on outsourcing that came into force at the end of September 2019.

The Guidelines aim to harmonise requirements for ICT and security risk management.

Their scope will cover:

  • Credit institutions and investment firms (as defined in the EU Capital Requirements Directive) for all of their activities
  • Payment service providers (subject to the revised Payment Services Directive) for their payment services

Continue Reading

Updated ICO guidance on handling special category data

On 14 November 2019, the Information Commissioner’s Office (ICO) published guidance (link here for organisations that process special category personal data (the Guidance). Previously, organisations tended to focus only on GDPR article 9 processing bases when processing special category personal data. Following this update from the ICO, organisations are reminded that they must have both GDPR article 6 and article 9 processing bases when they process special category personal data. Additionally, in some cases, the ICO will require organisations to: (i) prove they have carried out data protection impact assessments; and (ii) have an appropriate policy document (a template is provided by the Guidance) where they rely on GDPR article 9 to process special category personal data and meet their Data Protection Act 2018 (DPA 2018) obligations.

Background

Special categories of personal data are set out at GDPR article 9(1) and clarified at recital 51. Special category personal data is more sensitive than ordinary personal data. As a result, GDPR affords special category personal data greater protection. Special category personal data concerns data subjects’ racial or ethnic origin, health information, trade union membership, religious beliefs, sexual history or preference, and so on. Genetic and biometric identification data is also included. There are “significant risks to the individual’s fundamental rights and freedoms” when processing such personal data. Organisations therefore need to ensure that greater care is taken when processing it.

Continue Reading

Open banking: the Basel Committee on Banking Supervision has its say

On 19 November 2019, the Basel Committee on Banking Supervision (BCBS) published its report on open banking and its implications for banks and banking supervision. The report builds on the BCBS’ previous findings on open banking and application programming interfaces (APIs) in its 2018 report (“Sound practices on the implications of FinTech developments for banks and bank supervisors”). We highlight findings from the report from a data protection perspective below.

Background

The report (including the 2018 report) recognises that technological advances and customers’ need for greater access to information and services have transformed traditional banking, and potentially opened a divide between incumbent banks, and specialised FinTech firms and new intermediaries.

Data sharing in third party arrangements has been increasingly prevalent due to the diversity of services that open banking brings: financial management tools, seamless payment transmissions between banks, vertically integrated financial services – the list goes on. The BCBS has focused on ‘customer-permissioned data sharing’, where customers grant permission to third party firms to access their data through the customers’ banks. These third party firms would collect such data through data aggregators – which may employ various techniques, such as screen scraping or reverse engineering, to access and store customer credentials.

Continue Reading

EDPB adopts final version of guidelines on the territorial scope of the GDPR

On 12 November 2019, at its 15th plenary meeting, the European Data Protection Board (EDPB) adopted final guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines) following public consultation.

We have previously considered the draft guidelines on our blog. The first of the two blogs considered the extra-territorial scope of the GDPR (here), and the second blog post considered the need for non-European Union (EU) controllers to designate a representative located in the EU (here).

The guidelines seek to provide a common interpretation of the GDPR Article 3 for data protection authorities when assessing whether processing by a controller or a processor falls within the territorial scope of the GDPR. The final guidelines maintain the interpretation adopted in the first draft of the guidelines but now include further explanations from the EDPB addressing comments received during the public consultation. Below, we consider some of the EDPB’s new additions in the final version of the guidelines available here.

Continue Reading

German DPA releases findings of GDPR readiness audits of 50 organizations

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here).

Summary of findings in the Report

We previously reported on our blog that the Lower Saxony DPA has released the checklist it used in assessing the GDPR readiness of the audited organizations (Checklist). This Checklist is a helpful tool for determining where organizations have GDPR compliance gaps.

The Lower Saxony DPA has now summarized its findings of the audits. It has grouped the audited organizations based on a traffic light system:

  • Green (= mainly satisfactory): 9 organizations
  • Yellow (= some deficiencies): 32 organizations
  • Red (= major deficiencies): 8 organizations

The Report also highlights the GDPR compliance items that still raise the most and the least concerns:

  • Most deficiencies: IT security, data protection impact assessments (DPIA)
  • Medium deficiencies: records of processing activities (ROPA), consent, data subject rights
  • Low deficiencies: data processing agreements, data protection officers (DPO), notification of data breaches, accountability

Continue Reading

New requirements for Singapore banks to include provisions in service contracts on protection of customer data

On 4 November 2019, Singapore’s Parliament published a draft amendment to the Banking Act.

Under the amendment, all banks will be required to evaluate the ability of their service providers (whether these be a branch or office, or an external party) to:

(a) safeguard the confidentiality and integrity, and ensure the availability, of the banks’ information; and

(b) protect all customer information against unauthorised disclosure, retention, or use.

Where the service provider is a branch or office of the bank, specific provisions covering the above must be included in the branch or office’s policies and procedures.

Where the service provider is an external party, however, then the relevant provisions must be included in the contract between the bank and the provider.

Such policies and procedures, or contract, as the case may be, must also confer on the bank, the regulator (the Monetary Authority of Singapore or MAS), or an auditor appointed by the bank, the right to audit the books of the service provider to ensure that the above requirements have been complied with.

Continue Reading

EU–U.S. Privacy Shield: EU Commission issues its third annual review report

On 23 October 2019, the European Commission (the Commission) released its report on the third annual review of the functioning of the EU–U.S. Privacy Shield (Privacy Shield). The report summarises various improvements in the functioning of the framework, and further ‘concrete steps’ that need to be taken to ensure its continued effectiveness.

Background

The Commission’s Privacy Shield adequacy decision obligates the Commission to carry out annual reviews of the framework. To date, there have been two annual reviews (September 2017 and October 2018). The 2019 review took place in Washington D.C., with representatives from the Commission, European Data Protection Board (EDPB), and various U.S. government departments and offices in attendance. The Commission’s findings are divided between:

  • commercial aspects of the framework (compliance, administration, oversight, enforcement by U.S. authorities); and
  • aspects concerning public authorities’ access to personal data transferred under Privacy Shield.

We focus our discussion on the commercial aspects of the review.

Continue Reading

Updated draft of ePrivacy Regulation – Finnish presidency of the Council of the EU aims for final text by the end of the year

The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.

Amendments put forward by the Finnish Presidency

The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:

Continue Reading

LexBlog