A Guide to Data Breach Reporting Obligations
All too often, data breaches are a result of preventable, internal errors. These mistakes and the reputational damage that follow them are increasingly keeping business leaders up at night. What is often most concerning is that it’s not only the financial damage that can cause catastrophe. When the personal data of thousands of customers and partners are affected by a data breach, organisations can also face significant legal ramifications in the form of litigation and GDPR violations. This article will discuss the key considerations and steps that should be taken to reduce fallout and ensure reporting obligations are met in the event of a data breach.
FTI Consulting Provides GDPR Assessment and Action Plan for Global Energy Company
When Europe’s General Data Protection Regulation (GDPR) was enacted, many U.S. corporations were suddenly facing data protection requirements far more stringent than any preceding privacy rules. This was the case for a Houston-based drilling company, which had a significant international footprint, including in Europe, but limited visibility into how its practices were impacted by the new regulation. With an active GDPR compliance program in development, the company engaged FTI Consulting’s Information Governance, Privacy & Security (IGP&S) practice to conduct a readiness assessment and provide a roadmap of additional steps needed to bring the company into full compliance.
What Companies Need to Know About the ADGM Data Protection Regulation
In February this year, the Abu Dhabi Global Markets (ADGM) passed the Data Protection Regulation (DPR2021), which bears a striking resemblance to the EU GDPR, and the U.K. GDPR specifically. The former legislation, dating back to 2015, was based on the Organization for Economic Co-Operation and Development (OECD) guidance, which was significantly different from GDPR’s standards. What this means is that for companies operating in the ADGM, major regulatory changes are afoot.
Data Mapping for Privacy Obligations and Beyond – How to Reduce Risk and Increase Value
Emerging regulations like CCPA and GDPR have prepared us for compliance readiness – but not without challenges. The anticipated volume of Data Subject Access Requests (DSAR) coupled with vast amounts of personal data collected and stored, will make responding to regulatory deadlines far from easy. Especially knowing where all the data resides, how the data is being used and its contractual, legal and regulatory obligations. The answer is “Data Mapping” – a crucial backbone for compliance and overall health of an organization.
Limping to the GDPR Finish Line - Why Many Companies Still Aren’t Fully Compliant
To date, GDPR compliance at most organizations has been approached from the top down. Policies and procedures are essential. However, now that most organizations have those in place, it is time to begin revisiting GDPR programs from the bottom up — starting with the systems where data lives, to ensure cohesive alignment between the existing privacy policies, business requirements, and the IT systems and infrastructure.
Europe’s Top Court Delivers Landmark Privacy Decisions with Broad Implications for the Regulation of the Internet
Europe’s highest court, The European Court of Justice ("ECJ") in Luxembourg, ruled on two cases last week involving GDPR’s right to be forgotten as it applies to information available on the internet. In the first ruling, the court held that the privacy rule cannot be applied outside the European Union. In the second, the court said the right to freedom of information must be balanced against the right to privacy and specifically the right to have links related to certain categories of personal data automatically deleted.
Integrating Data Privacy Into Your Organization’s Business Strategy
With the advent of regulations like GDPR and the California Consumer Privacy Act of 2018, corporate leaders are beginning to recognize that poor data privacy risk management can harm competitive advantage, weigh down return on investment and have long term erosive effects on shareholder value. But how involved should executives be in privacy risk management decision making? And how can the corporate boards, the C-suite and legal and compliance stakeholders align business goals with privacy risk management?
Ad Techs and Transparency Issues take Center Stage for GDPR Enforcement Activity
In many ways, 2018 was a year of waiting. Waiting first for the General Data Protection Regulation (GDPR) to go into effect on May 25th. Then waiting again to see how regulators sought to investigate privacy complaints and enforce the new law. Now within the first two months of 2019, we’ve seen the beginnings of the anticipated uptick in European enforcement activity. And it is not a surprise to see the ad-tech space drawing most of that regulator attention.
In the last half of 2018, GDPR enforcement activity among data protection authorities across Europe saw a steady uptick and the trend will continue in 2019. Organizations in a broad range of industries received public reprimands, enforcement notices and fines. Violations ranged from data breaches, to lack of security practices and failure to obtain consumer consent to collect data.
Five Lessons Learned from Early GDPR Fines
Earlier this month, data protection authorities in Portugal doled out a €400,000 fine to a hospital for failure to apply appropriate access controls over digital patient data. This is one of the first penalties we’ve seen issued under GDPR since its enactment earlier this year. There are several interesting elements of this particular case, one of which is the fact that fines were imposed even though no data breach event occurred.
GDPR Compliance - The Unintended Consequences for Organisations
GDPR has made data protection a reality not only for heavily regulated industries but for all organisations. Once seen purely as a legislative burden, GDPR compliance is now providing organisations with a range of benefits.
Data Management – From the Basements to the Boardroom
Data is a strategic asset and GDPR has raised the profile of data management from the basements to the boardroom and assigned a strategic value to understanding our data, how we use it, where we store it, how it flows between systems and processes and ultimately how long it should be retained and protected. In this short video, information governance expert Nina Bryant talks about how GDPR has been driver for organisations to assess both the risk and the value of the data they hold.
Are Data Subject Access Requests a Trick or a Treat?
It’s that time of year… no, not when bands of trick-or-treaters are traipsing up your walk, but when the ghoulish specters called data subject access requests (DSARs) are going to start flooding in.
Recommended Reading: Data Breach and Potential Class Action in UK
After a recent data breach, a law firm is threatening the company with a potential class action lawsuit, citing Article 82 of the U.K. Data Protection Act. Specifically, the law firm is citing the "right to compensation and liability" — which states, "Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
GDPR Breach Crisis: Are You Prepared?
The GDPR compliance deadline might have passed but over two-thirds of UK firms acknowledge they are at risk of a GDPR breach crisis. While data mapping and updating privacy policies are an important aspect of GDPR preparedness, many companies will struggle to respond to GDPR breaches and incidents.
Leading the Way with Information Governance
By the end of May 2018, the landscape of how organisations manage information about clients will be completely transformed by some of the world’s toughest new legislation.
Five Steps to Prepare for GDPR
When the European General Data Protection Regulation (GDPR) enforcement kicks in this May, responding to data subject rights will be a challenge for many large organizations. The GDPR enables EU individuals to request corporations to inquire about what personal data they have on them or even delete their personal data. Requests must be responded to promptly, within one month, leaving companies very little time to perform a task that they may not be equipped to handle. No barrier exists for citizens to enact these rights, and some countries are planning campaigns to educate the public on them in the coming year.
GDPR Countdown - May 2018: The Starting Point, Not the Finish Line
Companies around the globe are impacted by the landmark EU legislation, the General Data Protection Regulation (GDPR) which comes into force on May 25, 2018. While there is tremendous focus on the steep fines, the risks associated with reputational damage due to the inappropriate management of personal data is much greater.
Using Information Governance Tactics to Prepare for the GDPR
Much like Information Governance, preparation for the General Data Protection Regulation is a cross-departmental concern that requires input from many different groups within an organization, including privacy, compliance, legal, line of business, IT and information security.
GDPR: A Challenge and an Opportunity
In the first of our series of short videos on GDPR, Sonia Cheng, FTI Consulting’s European Information Governance Leader, talks about what GDPR is, the key steps to compliance, and what to do if you have limited time and budget.
Using Information Governance Strategies to Prepare for the GDPR
The General Data Protection Regulation (“GDPR”) goes into effect in roughly one year and yet many companies are still behind in preparing for compliance. This webcast will help you understand the top priorities and challenges with meeting GDPR requirements, how to assess your organization’s exposure, how to prioritize actions and how to take the first steps toward compliance.
We asked 33 in-house compliance leaders: How can organizations create an information governance framework that protects data while staying adaptive to the rapidly evolving business landscape?
Transforming Risk with Better Information Governance
As regulated companies are required to manage ever growing amounts of data, and regulators are imposing increasingly severe fines, how can firms ensure they comply with this greater scrutiny?