Anatomy of a 90% fine reduction: How BA saved $200M on GDPR penalty
The U.K. Information Commissioner’s Office agreed to slash its intended GDPR fine for British Airways from £183.39 million (U.S. $230 million) to just £20 million (U.S. $26 million). What was behind the massive reduction?
Corrective action could trump fines as GDPR evolves
Experts discuss whether EU data protection authorities would be better served using corrective actions other than eye-watering fines to encourage companies to commit to best (and legal) GDPR practices.
White paper: The Data Trinity: Governance, Security & Privacy
Creating policies for data handling and accountability and driving culture change so people understand how to properly work with data are two important components of a data governance initiative, as is the technology for proactively managing data assets.
EY allegedly flubbed Wirecard dealings worse than we thought
In this week’s “Nailed It or Failed It,” we take down EY and JPMorgan Chase for apparently ignoring whistleblowers and give the SEC a nod for rewarding them.
H&M Germany fined $41.3M in one of largest GDPR penalties
In one of the largest GDPR fines imposed, a regional data protection authority in Germany fined H&M Germany €35.2 million (U.S. $41.3 million) for excessive monitoring of several hundred employees by one of the retailer’s subsidiaries.
Breach costs Premera Blue Cross $6.85M; second-largest HIPAA fine
Premera Blue Cross has agreed to pay $6.85 million in a settlement with the U.S. Department of Health and Human Services regarding a 2014 data breach that affected the personal and health plan information of over 10.4 million people.
BoA a silver lining in damning ‘FinCEN Files’ report; Wells Fargo CEO puts foot in mouth
Bank of America gets a pat on the back for going beyond an “observe and report” approach to filing a SAR, and we learned this week that Wells Fargo’s CEO needs a little unconscious bias training.
Companies face greater risk as GDPR class actions emerge
In the past month three of the world’s largest tech firms have been hit with legal actions that could lead to billion-dollar damages suits for alleged violations of the GDPR. Neil Hodge explores the trend and what to expect moving forward.
Déjà vu: Senate committee revisits need for federal privacy law
Nearly a year since their last hearing to discuss the urgent need for a federal privacy law in the United States, the Senate Committee on Commerce, Science, and Transportation largely remains stuck in neutral.
What CCPA-affected businesses need to know about California’s next privacy initiative
Businesses with operations in California should expect their data privacy compliance obligations to get a lot more complicated next year with the California Privacy Rights Act expected to pass in November.
e-Book: Companies still wrestle with data privacy regulation
This e-Book offers results from a recent Compliance Week and OpenText survey exploring why companies are still struggling with California Consumer Privacy Act compliance.
U.K. lawsuit seeks $3.2B from YouTube for violating children’s privacy
A first-of-its-kind lawsuit in the U.K. alleges YouTube unlawfully collects personal information from children without parental consent and harvests their data for advertising purposes, in violation of British and European data privacy laws.
Credit to JPMorgan Chase in this week’s banking-themed naughty/nice list
JPMorgan Chase, Danske Bank, Deutsche Bank, and Bank of America all either “Nailed It” or “Failed It” this week.
Ireland’s order to Facebook to halt data transfers could have ‘profound’ impact
The Irish DPC’s order to Facebook to halt the transfer of European citizens’ personal data to the United States could pose operational and legal challenges that set a precedent for not only other tech giants, but companies generally.
More Privacy Shield fallout: Swiss-U.S. pact ruled inadequate
The Swiss Federal Data Protection and Information Commissioner believes the Swiss-U.S. Privacy Shield “does not provide an adequate level of protection for data transfer from Switzerland to the US.”
European Commission: No Privacy Shield replacement in sight
The European Commission this week warned there will be “no quick fix” to replace the now-invalidated Privacy Shield, which governed data transfers between the European Union and United Sates.
Credit social media giants for prepping for election chaos
Silicon Valley’s social media heavyweights deserve a nod for “war-gaming” potential misinformation scenarios in advance of November’s elections, while McDonald’s again finds itself on our “Not Lovin’ It” list.
CPE Webcast: How to minimize privacy risks and maintain regulatory compliance
Establishing an effective data retention policy is a key step in managing and protecting one of your organization’s most valuable assets: it’s data.
CPE Webcast: Capturing, managing communications data in modern enterprise
Today’s employees and customers generate a lot of communications data, in a lot of formats and in a lot of locations, from computers and on prem servers to mobile devices and the cloud.
EU data authorities take different approaches to Privacy Shield ruling
It appears Europe’s data authorities are prepared to interpret a key court judgement as they see fit in the absence of definitive guidance from the bloc’s primary privacy regulator.
Credit to KPMG for shining a light on fraud at Wirecard
A scathing report on the extensive fraud at German payment giant Wirecard had a compliance silver lining: KPMG’s by-the-books, transparent approach to a special audit helped bring that fraud to light.
CPE Webcast: Surviving the next chapter of CCPA and unstructured data management
The California Consumer Privacy Act (CCPA) caused many U.S. companies to rethink their approach to data privacy when the law went into effect on January 1, 2020, and again when enforcement began on July 1, 2020.
Clash over draft Twitter GDPR decision exposes differences among EU authorities
As Ireland’s first GDPR decision against Big Tech hangs in limbo, experts are scratching their heads as to why a seemingly straightforward case is headed to the EU’s data governing body to rule on.
SEC wants to curb sensitive data contained in CAT submissions, EDGAR filings
Rule changes proposed by the SEC seek to limit the amount of personally identifiable information required in data submitted to the Consolidated Audit Trail and for public company filings.
Jury’s out on Wells Fargo compliance moves; Twitter #fail for Irish DPC
While it’s not yet clear whether Wells Fargo’s compliance moves (including the loss of its CCO) will pay off, we’re much more certain about the Irish Data Protection Commission’s stance on a potential Twitter fine.
How far is too far with employee monitoring? Barclays case could offer litmus
The U.K. Information Commissioner’s Office is investigating allegations that Barclays Bank had effectively been spying on employees by using an intrusive software system that monitored workers’ activity.
EU privacy advocate targets Facebook, Google in latest salvo
Privacy campaign group NOYB has filed complaints against 101 websites with European operators that it says are still sending data to the U.S. via Google and/or Facebook integrations—potentially in breach of the EU’s strict data privacy rules.
Trump’s TikTok crusade a hollow win for privacy
There’s no questioning the need to protect the data of U.S. citizens from China, but it’s naïve to think pressuring TikTok to take up a U.S. owner is anything more than a hollow victory given our lack of federal oversight in the area of privacy.
Oracle, Salesforce targeted in class-action GDPR lawsuits
A European privacy group is pursuing multiple class-action lawsuits against Oracle and Salesforce for alleged violations of the EU’s General Data Protection Regulation, estimating damages sought could exceed €10 billion (U.S. $11.9 billion).
e-Book: Data privacy back in the spotlight
With the California Consumer Privacy Act enforcement deadline finally upon us, data privacy concerns are once again a focus of U.S. corporations.
McDonald’s handling of ex-CEO scandal gets compliments, criticism
A fresh podcast from the Theranos whistleblower and a new compliance association for Black practitioners get a round of applause from us this week, while a complicated case involving McDonald’s lands the company on both the “Nailed It” and “Failed It” lists.
Without guidance, U.S. companies in limbo after Privacy Shield scrapped
Despite a recent court ruling to scrap the EU-U.S. Privacy Shield, the program is apparently still alive and well in the United States. It’s time to move on, writes Aaron Nicodemus.
Survey: Companies say lack of guidance, budget restrictions hamper compliance with CCPA
Complying with provisions of the California Consumer Privacy Act continues to be difficult for many companies, according to a new survey from Compliance Week and OpenText.
CCOs show resilience in early survey data; compliance-blind NRA in crosshairs
The National Rifle Association “Failed It” big time if a suit alleging a lack of compliance controls proves true. Meanwhile, we tip our caps to the stalwart CCOs who carry on despite a cut in pay and resources due to the pandemic.
Twitter could face up to $250M FTC fine for misuse of data
Twitter disclosed in a regulatory filing that it could face fines of up to $250 million by the Federal Trade Commission for misusing people’s personal information for advertising purposes.
Five tips for EU-U.S. data transfers post-Privacy Shield
As the fallout from the demise of the Privacy Shield continues to play out, here are a handful of steps companies can take to protect themselves from potential GDPR violations when transferring data between the European Union and the United States.
British Airways banking on drastic reduction of record GDPR fine
British Airways has hinted that it will qualify for a nearly 90 percent reduction of its original GDPR fine (U.S. $230 million) and end up paying just $26 million.
White paper: Smart Content Governance - Unleash the Power of the Modern Cloud-based Office
Now more than ever, companies need strong data governance that can be applied across multiple repositories, apps, and devices, no matter where work gets done.
Companies paying price for EU-U.S. Privacy Shield removal
The legal and financial burden for companies to comply with the recent ruling to invalidate the EU-U.S. Privacy Shield might actually be worse than first thought, if an FAQ from the European Data Protection Board is any indication.
CPE Webcast: Minimize exposure to supply chain regulatory and privacy risks
Join Kroll for an opportunity to learn how you can help your organization better minimize risks in the post-COVID-19 world.
Nailed It or Failed It? Disney sends anti-hate message to Facebook
In this week’s “Nailed It or Failed It?”, Disney gets kudos for throwing its weight behind the #StopHateForProfit protest, while PG&E earns criticism after being found responsible for yet another California wildfire.
Europe’s top court strikes down U.S.-EU data transfer rule
In a surprise decision that will have a major impact on trans-Atlantic data transfers, Europe’s top court ruled Thursday that a mechanism used by thousands of companies to send data to the United States is unlawful.
Nailed It or Failed It? Twitter’s meltdown exposes major vulnerability
In this week’s “Nailed It or Failed It?”, we reflect on the most troubling aspect of Wednesday’s giant Twitter hack while giving Wells Fargo a rare kudos for being good corporate citizens.
Walmart latest hit with CCPA-related lawsuit
Consumers are using the newly enforceable California Consumer Privacy Act to sue companies they say have mishandled their data. Walmart is the latest and most high-profile to be slapped with a lawsuit.
Italian telecom fined $18.6M for violating GDPR data collection rules
Italian telecommunications operator Wind Tre S.p.A has been fined approximately €16.7 million (U.S. $18.6 million) for violating data collection provisions of the EU’s General Data Protection Regulation.
Google fined $670K for violating GDPR’s ‘right to be forgotten’
Belgium’s Data Protection Authority fined Google Belgium €600,000 (U.S. $670,000) for refusing to delete search results linked to a Belgian public official, a provision of the GDPR know as the “right to be forgotten.”
Kudos to TikTok, tech brethren; Starbucks & Luckin have us soured on coffee cos.
In the inaugural edition of our weekly “Nailed It or Failed It?” feature, we give TikTok and other tech companies a pat on the back and shake our heads at the actions of Starbucks and Luckin Coffee.
CPE Webcast: CCPA - The California AG is ready. Are you?
With the CCPA being the most important privacy and data security law ever to be enacted in the United States, it will bring a sea of change in the way businesses manage and communicate with consumers about personal data.
Market forces, not regs, leading the charge for data privacy
Data privacy is about to become a more tangible concept to Americans not due to regulation like the CCPA, but because the most influential brand in the nation is making it a pillar of how it does business.
CPE Webcast: Data breach litigation post CCPA
The biggest impact on business post CCPA, and presumably subsequent state regulations, is the impact on data breaches.