The U.K. Information Commissioner’s Office agreed to slash its intended GDPR fine for British Airways from £183.39 million (U.S. $230 million) to just £20 million (U.S. $26 million). What was behind the massive reduction?
Experts discuss whether EU data protection authorities would be better served using corrective actions other than eye-watering fines to encourage companies to commit to best (and legal) GDPR practices.
Creating policies for data handling and accountability and driving culture change so people understand how to properly work with data are two important components of a data governance initiative, as is the technology for proactively managing data assets.
In this week’s “Nailed It or Failed It,” we take down EY and JPMorgan Chase for apparently ignoring whistleblowers and give the SEC a nod for rewarding them.
In one of the largest GDPR fines imposed, a regional data protection authority in Germany fined H&M Germany €35.2 million (U.S. $41.3 million) for excessive monitoring of several hundred employees by one of the retailer’s subsidiaries.
Premera Blue Cross has agreed to pay $6.85 million in a settlement with the U.S. Department of Health and Human Services regarding a 2014 data breach that affected the personal and health plan information of over 10.4 million people.
Bank of America gets a pat on the back for going beyond an “observe and report” approach to filing a SAR, and we learned this week that Wells Fargo’s CEO needs a little unconscious bias training.
In the past month three of the world’s largest tech firms have been hit with legal actions that could lead to billion-dollar damages suits for alleged violations of the GDPR. Neil Hodge explores the trend and what to expect moving forward.
Nearly a year since their last hearing to discuss the urgent need for a federal privacy law in the United States, the Senate Committee on Commerce, Science, and Transportation largely remains stuck in neutral.
Businesses with operations in California should expect their data privacy compliance obligations to get a lot more complicated next year with the California Privacy Rights Act expected to pass in November.
This e-Book offers results from a recent Compliance Week and OpenText survey exploring why companies are still struggling with California Consumer Privacy Act compliance.
A first-of-its-kind lawsuit in the U.K. alleges YouTube unlawfully collects personal information from children without parental consent and harvests their data for advertising purposes, in violation of British and European data privacy laws.
JPMorgan Chase, Danske Bank, Deutsche Bank, and Bank of America all either “Nailed It” or “Failed It” this week.
The Irish DPC’s order to Facebook to halt the transfer of European citizens’ personal data to the United States could pose operational and legal challenges that set a precedent for not only other tech giants, but companies generally.
The Swiss Federal Data Protection and Information Commissioner believes the Swiss-U.S. Privacy Shield “does not provide an adequate level of protection for data transfer from Switzerland to the US.”
The European Commission this week warned there will be “no quick fix” to replace the now-invalidated Privacy Shield, which governed data transfers between the European Union and United Sates.
Silicon Valley’s social media heavyweights deserve a nod for “war-gaming” potential misinformation scenarios in advance of November’s elections, while McDonald’s again finds itself on our “Not Lovin’ It” list.
Establishing an effective data retention policy is a key step in managing and protecting one of your organization’s most valuable assets: it’s data.
Today’s employees and customers generate a lot of communications data, in a lot of formats and in a lot of locations, from computers and on prem servers to mobile devices and the cloud.
It appears Europe’s data authorities are prepared to interpret a key court judgement as they see fit in the absence of definitive guidance from the bloc’s primary privacy regulator.
A scathing report on the extensive fraud at German payment giant Wirecard had a compliance silver lining: KPMG’s by-the-books, transparent approach to a special audit helped bring that fraud to light.
The California Consumer Privacy Act (CCPA) caused many U.S. companies to rethink their approach to data privacy when the law went into effect on January 1, 2020, and again when enforcement began on July 1, 2020.
As Ireland’s first GDPR decision against Big Tech hangs in limbo, experts are scratching their heads as to why a seemingly straightforward case is headed to the EU’s data governing body to rule on.
Rule changes proposed by the SEC seek to limit the amount of personally identifiable information required in data submitted to the Consolidated Audit Trail and for public company filings.
While it’s not yet clear whether Wells Fargo’s compliance moves (including the loss of its CCO) will pay off, we’re much more certain about the Irish Data Protection Commission’s stance on a potential Twitter fine.
The U.K. Information Commissioner’s Office is investigating allegations that Barclays Bank had effectively been spying on employees by using an intrusive software system that monitored workers’ activity.
Privacy campaign group NOYB has filed complaints against 101 websites with European operators that it says are still sending data to the U.S. via Google and/or Facebook integrations—potentially in breach of the EU’s strict data privacy rules.
There’s no questioning the need to protect the data of U.S. citizens from China, but it’s naïve to think pressuring TikTok to take up a U.S. owner is anything more than a hollow victory given our lack of federal oversight in the area of privacy.
A European privacy group is pursuing multiple class-action lawsuits against Oracle and Salesforce for alleged violations of the EU’s General Data Protection Regulation, estimating damages sought could exceed €10 billion (U.S. $11.9 billion).
With the California Consumer Privacy Act enforcement deadline finally upon us, data privacy concerns are once again a focus of U.S. corporations.
A fresh podcast from the Theranos whistleblower and a new compliance association for Black practitioners get a round of applause from us this week, while a complicated case involving McDonald’s lands the company on both the “Nailed It” and “Failed It” lists.
Despite a recent court ruling to scrap the EU-U.S. Privacy Shield, the program is apparently still alive and well in the United States. It’s time to move on, writes Aaron Nicodemus.
Complying with provisions of the California Consumer Privacy Act continues to be difficult for many companies, according to a new survey from Compliance Week and OpenText.
The National Rifle Association “Failed It” big time if a suit alleging a lack of compliance controls proves true. Meanwhile, we tip our caps to the stalwart CCOs who carry on despite a cut in pay and resources due to the pandemic.
Twitter disclosed in a regulatory filing that it could face fines of up to $250 million by the Federal Trade Commission for misusing people’s personal information for advertising purposes.
As the fallout from the demise of the Privacy Shield continues to play out, here are a handful of steps companies can take to protect themselves from potential GDPR violations when transferring data between the European Union and the United States.
British Airways has hinted that it will qualify for a nearly 90 percent reduction of its original GDPR fine (U.S. $230 million) and end up paying just $26 million.
Now more than ever, companies need strong data governance that can be applied across multiple repositories, apps, and devices, no matter where work gets done.
The legal and financial burden for companies to comply with the recent ruling to invalidate the EU-U.S. Privacy Shield might actually be worse than first thought, if an FAQ from the European Data Protection Board is any indication.
Join Kroll for an opportunity to learn how you can help your organization better minimize risks in the post-COVID-19 world.
In this week’s “Nailed It or Failed It?”, Disney gets kudos for throwing its weight behind the #StopHateForProfit protest, while PG&E earns criticism after being found responsible for yet another California wildfire.
In a surprise decision that will have a major impact on trans-Atlantic data transfers, Europe’s top court ruled Thursday that a mechanism used by thousands of companies to send data to the United States is unlawful.
In this week’s “Nailed It or Failed It?”, we reflect on the most troubling aspect of Wednesday’s giant Twitter hack while giving Wells Fargo a rare kudos for being good corporate citizens.
Consumers are using the newly enforceable California Consumer Privacy Act to sue companies they say have mishandled their data. Walmart is the latest and most high-profile to be slapped with a lawsuit.
Italian telecommunications operator Wind Tre S.p.A has been fined approximately €16.7 million (U.S. $18.6 million) for violating data collection provisions of the EU’s General Data Protection Regulation.
Belgium’s Data Protection Authority fined Google Belgium €600,000 (U.S. $670,000) for refusing to delete search results linked to a Belgian public official, a provision of the GDPR know as the “right to be forgotten.”
In the inaugural edition of our weekly “Nailed It or Failed It?” feature, we give TikTok and other tech companies a pat on the back and shake our heads at the actions of Starbucks and Luckin Coffee.
With the CCPA being the most important privacy and data security law ever to be enacted in the United States, it will bring a sea of change in the way businesses manage and communicate with consumers about personal data.
Data privacy is about to become a more tangible concept to Americans not due to regulation like the CCPA, but because the most influential brand in the nation is making it a pillar of how it does business.