Information Governance

A recent £4.4m fine imposed by the ICO in October 2022 reveals its views on the responsibility of the parent company, senior management, and financial investments in organisations’ security standards to prevent cyber attacks.Continue Reading ICO expects large organisations to make financial investments to maintain their security standards

Join us in our latest Tech Law Talks podcast series as we explore the regulatory topic du jour: eComms.  What are eComms and why are they resulting in fines in the hundreds of millions of dollars for some of the world’s largest banks?  The answer is simultaneously simple and complex: rapidly changing technology means keeping up with the variety of eComms, or electronic communications, used by businesses and applying decades-old regulations to new functionality is more challenging than ever before. Continue Reading What are eComms and why are they resulting in fines in the hundreds of millions of dollars for some of the world’s largest banks?

On 17 June 2022, in response to its consultation in 2021 on the same topic (which we wrote about here), the UK government published more detailed proposals to reform data protection laws in the UK. The response to the consultation can be found here. The intention of the reforms is to achieve greater personal data use enabling economic growth by removing barriers and reducing obstacles for organisations whilst maintaining high standards of personal data protection and EU adequacy.Continue Reading Government releases proposals to reform UK data protection laws

Modern businesses have a more global reach than ever before. Technology has fundamentally changed the way employees work, communicate and collaborate. While global connectivity offers businesses opportunities, it also creates substantial challenges when it comes to archiving communications.

Earlier this month, we co-hosted a thought leadership event in New York City with Smarsh, a multinational

Increasingly, businesses are looking to adopt data protection certifications and standards for myriad reasons, including enhancing consumer trust, demonstrating compliance when contracting with partners and managing regulatory risk.

We have prepared a high-level comparison to guide Singapore businesses in determining which certification or certifications could be the best fit.

ISO/IEC 27701:2019

Who can apply: All organisations, private or public, regardless of size and for-profit status. Data controllers and processors/intermediaries are eligible to apply.

Features: The ISO/IEC 27701:2019 standard provides a data privacy extension to ISO/IEC 27001:2013 Information Security Management and ISO/IEC 27002:2013 Security Controls. It extends their requirements to take into account, in addition to information security, the protection of privacy of individual consumers as potentially affected by the processing of personal data.

The annexes to the standard list the applicable controls for data controllers and processors, and map the provisions of the standard against the EU General Data Protection Regulation (GDPR), amongst other things.Continue Reading A snapshot comparison of data protection certifications in Singapore

The UK Centre for Data Ethics and Innovation (CDEI) released its 2019/20 Work Programme and Two-year strategy to enhance the benefits of data and Artificial Intelligence (AI) for the UK society and economy on 20 March 2019.

What’s in scope?

CDEI is an advisory body founded by the UK government and is led by an independent board of experts. For the next two years, CDEI plans to shape a policy, regulatory and cultural environment in the UK that promotes constructive and ethical innovation in data and AI-driven technology. CDEI benefits from a prime spot to use the know-how and expertise of the UK, a country recognised as a global leader in data-enabled technology.

Under its two-year strategy, CDEI’s main objectives are to:

a. Promote policy and governance that enables data-driven technology to improve people’s lives;

b. Ensure the public’s views inform the governance of data-driven technology;

c. Ensure the governance of data-driven technology can safely support its rapid development (this means not only addressing issues from recent years but also continuing to be alert to emerging problems); and

d. Foster effective partnerships between civil society, government, research organisations and industry players.Continue Reading UK’s two-year strategy to boost data and AI

With less than three months until the General Data Protection Regulation 2016/279 (GDPR) comes into effect on 25 May 2018, the Article 29 Working Party (WP29) published revised guidelines on personal data breach notification (Guidelines). You may well remember our recent blog covering the Guidelines when the WP29 issued its initial guidance on 3 October 2017.

The revised Guidelines are largely similar, so in this blog, we provide a recap of the Guidelines regarding personal data breach notification requirements under GDPR.

Personal data breach

The WP29 has provided that a personal data breach – that is, a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data – can be categorised as follows:

  1. Confidentiality breach: unauthorised or accidental disclosure or access to personal data.
  2. Integrity breach: unauthorised or accidental alteration of personal data.
  3. Availability breach: accidental or unauthorised loss of access or destruction of personal data.

Continue Reading Article 29 Working Party issues revised guidance on personal data breach notification

On 3 November 2017, the German regulator for the financial sector, the Federal Financial Supervisory Authority (“BaFin”), published a new circular titled Rundschreiben 10/2017 (BA) vom 3. November 2017 – Bankaufsichtliche Anforderungen an die IT (in English: Circular 10/2017 – Regulatory Requirements for IT-Systems – “BAIT”). The BAIT is available in German language at the BaFin’s website. The final version of the BAIT incorporates a number of revisions that result from the submissions made by stakeholders in the course of a prior public consultation.

Scope of the BAIT

The BAIT’s purpose is to give guidance on the BaFin’s interpretation of the statutory requirements under Section 25a(1) s. 3 no. 4 and 5 and Section 25b of the German Banking Act (Kreditwirtschaftsgesetz – KWG). The BAIT sets out the BaFin’s understanding of how reasonable technical/organisational features of IT systems used within financial institutions should look like, taking in particular into account the requirements for IT security and a sufficient emergency concept. The BAIT also addresses the increased engagement of third party IT suppliers that carry out a wide range of processes on behalf of regulated financial institutions, Section 25b of the German Banking Act.Continue Reading German Federal Financial Supervisory Authority (BaFin) publishes circular on regulatory requirements for financial institutions’ IT systems