The recently adopted EDPB guidelines on examples regarding data breach notification complement the Article 29 Working Party guidance on data breach notification by introducing more practice-orientated guidance and recommendations. The guidelines, adopted on January 14, 2021, and available for public commentary, aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.
According to Karen Wetzel, Manager of the NICE Framework, “The NICE Framework building blocks (Tasks, Knowledge, and Skill statements) will unleash a variety of ways in which organizations can use and apply the NICE Framework within their unique context and in a manner that is consistent with the attributes of agility, flexibility, interoperability, and modularity. The introduction of Competencies, a mechanism for organizations to assess learners, is designed to increase alignment among employers, learners, and education and training providers and close the cybersecurity skills gap.”
According to the European Commission, the proposed Regulation on Data Governance (Data Protection Act) will create the basis for a new European way of data governance that is in line with EU values and principles, such as personal data protection (GDPR), consumer protection and competition rules. It offers an alternative model to the data-handling practices of the big tech platforms, which can acquire a high degree of market power because of their business models that imply control of large amounts of data.
A steady rise in the number of sensitive data discovery requirements driven by events ranging from Data Subject Access Requests (DSARs) to data breaches are adding to the current ‘where’s my data’ problem; a problem increasingly complicated by enormous amounts of unstructured data widely spread across organizational systems. The ability to rapidly locate information across an organization’s digital estate and to easily review, collate, and extract that data into one central repository, is essential when faced with regulatory time constraints. Ascema, a sensitive data discovery and extraction platform from UK-based cybersecurity provider GeoLang, may be able to help eDiscovery professionals as they consider proactive detection and reactive data breach review of data.
This new report, “Data Retention Revisited,” published by the EDRi, critically revisits the question of data retention and concludes that the ongoing aspirations to reintroduce a data retention obligation in the EU remain in violation of EU law as long as the strict necessity of data retention is unproved and no genuinely targeted retention obligation is considered.
According to the recently published EDPB guidelines on the targeting of social media users, the term “targeter” is used to designate natural or legal persons that use social media services in order to direct specific messages at a set of social media users on the basis of specific parameters or criteria. What sets targeters apart from other social media users is that they select their messages and/or their intended audience according to the perceived characteristics, interests, or preferences of the individuals concerned, a practice which is sometimes also referred to as “micro-targeting.” Targeters can engage in targeting to advance commercial, political, or other interests.
As highlighted in NIST Special Publication 800-207, no enterprise can eliminate cybersecurity risk. However, when complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and general cyber hygiene, a properly implemented and maintained Zero Trust Architecture (ZTA) can reduce overall risk and protect against common threats.
Following the recent judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, the European Data Protection Board (EDPB) has adopted a ‘Frequently Asked Questions’ document to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.
According to the Court of Justice of the European Union press announcement, in the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
The general view is that two years after it started to apply, the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU. However, a number of areas for future improvement have also been identified.