Information Governance

Subscribe to Information Governance

With less than three months until the General Data Protection Regulation 2016/279 (GDPR) comes into effect on 25 May 2018, the Article 29 Working Party (WP29) published revised guidelines on personal data breach notification (Guidelines). You may well remember our recent blog covering the Guidelines when the WP29 issued its initial guidance on 3 October 2017.

The revised Guidelines are largely similar, so in this blog, we provide a recap of the Guidelines regarding personal data breach notification requirements under GDPR.

Personal data breach

The WP29 has provided that a personal data breach – that is, a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data – can be categorised as follows:

  1. Confidentiality breach: unauthorised or accidental disclosure or access to personal data.
  2. Integrity breach: unauthorised or accidental alteration of personal data.
  3. Availability breach: accidental or unauthorised loss of access or destruction of personal data.

Continue Reading Article 29 Working Party issues revised guidance on personal data breach notification

On 3 November 2017, the German regulator for the financial sector, the Federal Financial Supervisory Authority (“BaFin”), published a new circular titled Rundschreiben 10/2017 (BA) vom 3. November 2017 – Bankaufsichtliche Anforderungen an die IT (in English: Circular 10/2017 – Regulatory Requirements for IT-Systems – “BAIT”). The BAIT is available in German language at the BaFin’s website. The final version of the BAIT incorporates a number of revisions that result from the submissions made by stakeholders in the course of a prior public consultation.

Scope of the BAIT

The BAIT’s purpose is to give guidance on the BaFin’s interpretation of the statutory requirements under Section 25a(1) s. 3 no. 4 and 5 and Section 25b of the German Banking Act (Kreditwirtschaftsgesetz – KWG). The BAIT sets out the BaFin’s understanding of how reasonable technical/organisational features of IT systems used within financial institutions should look like, taking in particular into account the requirements for IT security and a sufficient emergency concept. The BAIT also addresses the increased engagement of third party IT suppliers that carry out a wide range of processes on behalf of regulated financial institutions, Section 25b of the German Banking Act.Continue Reading German Federal Financial Supervisory Authority (BaFin) publishes circular on regulatory requirements for financial institutions’ IT systems

The EU Commission recently launched a Public consultation on Building the European data economy. The objective behind the consultation is to feed into the Commission’s future policy agenda on the European data economy in 2017.

The data economy

In its Communication entitled “Building a European Data Economy,” the Commission has re-identified (from its 2012 Communication) the need to upgrade the EU’s legal regarding the trade of data.
Continue Reading Building the EU data economy: time for an upgrade?

In its speech at the FT Cyber Security Summit, the FCA has outlined its approach to cybersecurity in financial services firms. In addition to this, the Group of 7 (“G7”) has issued an 8-point framework for the financial sector as a push for financial firms to design a cybersecurity strategy.

We explore each piece of guidance below.
Continue Reading FCA and G7 issue cybersecurity guidelines for the financial sector

TheCityUK and Marsh have jointly published a report urging UK financial and related professional services sectors to step up their efforts to address cyber risk. The report (headed “Cyber and the City”) suggests that cybersecurity is still not being given the priority it deserves, particularly given the substantial disruption, costs and reputational damage that can

In a sign of the continuing significance of the U.S. Supreme Court’s recent ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016), another federal court has cited that ruling in dismissing claims for lack of Article III standing. In Gubula v. Time Warner Cable, Inc., No. 15-cv-1078 (E.D. Wis. June

The Council of the European Union adopted the EU Network and Information Security (NIS) Directive (the ‘Directive’) 17 May, ready for final adoption by the European Parliament. The Directive, initially proposed in 2013, has been progressing through the EU legislative procedure for some time. As we reported in December last year, the Directive covers

Responding to the increasingly significant threats to customer payment information, the Payment Card Industry Security Standards Council (‘PCI SSC’) has published an update to its data security standard (‘PCI DSS’). Version 3.2 seeks to protect cardholder data by introducing:
Continue Reading PCI Council Reacts Again to Data Security Threats

The long-awaited General Data Protection Regulation was published in the Official Journal of the European Union on 4 May 2016. This means that the most comprehensive reform to the EU’s omnibus data protection law in 20 years will apply throughout the European Union from 25 May 2018.

We have written in previous posts (here

It is commonplace to turn on the television news and hear of a new data breach from a large retailer or someone else. No one wants the legal problems (not to mention the embarrassment and the hit to reputation) from having their systems breached. Consequently, data security is on everyone’s mind.

However, many companies have