In the news this week: Ecuadorian legislators have fast-tracked the country’s first data protection law following a data breach that affected almost the entire population. CJEU – Google does not have to make the “right to be forgotten” available worldwide. European Commission and U.S. Department of Justice officials begin formal negotiations on an EU-U.S. agreement to facilitate access to electronic evidence …
This initial investigation was triggered by guidance that was released by the ICO in the UK, that insists that processors must allow audit and inspection rights to their controllers in their contractual terms. In the GDPR , Article 28.3.h states: That contract or other legal act shall stipulate, in particular, that the processor: makes available …
In the news this week: 3rd annual Privacy Shield review completed – joint statement released, EC report to follow. Access Now requests it be struck down. US Big Tech’s Disingenuous Push for a Federal Privacy Law. Over 13.7M US medical test records found unsecured on servers. IAPP has produced a CCPA amendment tracker. Poland’s DPA has fined the shopping site morele.net around €650,000 …
There is a lot to be said for the similarities between getting breach ready, and getting beach ready. Both require careful planning and a relentless focus. Both also ensure that you are not left with your arse hanging out. Effort Both require effort. Breach preparations requires a detailed understanding of the business, of business-critical applications …
In this week’s news: The interaction of Data Protection and the UK Government – ICO to probe government over Gov.uk data collection plan. The ICO has urged businesses to “prepare for all scenarios” as it publishes dedicated guidance to help small and medium sized organisations prepare. Report finds 48% of UK businesses are fully compliant with GDPR. I suspect it’s close to …
We left off last time out on Risk Treatment. The previous post is here. So following up using ISO 27001 as a base for our questions, the next section would be Performance Evaluation. Performance Evaluation In ISO 27001 speak, this is the monitoring of your security controls. You can understand a lot about the maturity …
Third Party Security Assurance Questions – Part 2 Read More »
In my previous post, we left the GDPR review at Clause 74. This was quite a deliberate breakpoint, as Clause 75 and 76 take us straight into the meat of the DPIA (Data Protection Impact Assessment). Privacy Impact Assessment The ISO 27701 Standard refers to a Privacy Impact Assessment as a method to determine the …
Understanding ISO 27701 – Missing GDPR Controls Part 2 Read More »
The US Department of Defense recently released version 0.4 of its CyberSecurity Maturity Model Certification (CMMC). This is supposed to make third parties more accountable for their security controls to the DoD for the sensitive information they handle. If you cannot follow the link, it is because you are not in the US. They have …
How not to create a Maturity Model for Third Parties Read More »
On August 30th 2019, Judge Paul W. Grimm of the US District Court of Maryland set a precedent that could change the way forensic reports of data breaches are written. Marriott failed to block the release of the PCI Forensic Report that was conducted by external cyber specialists in November 2018, in the wake of …
In the news this week: The Bavarian DPA is investigating the blood donation service’s processing of particularly sensitive health data under Art. 9 of the GDPR. One of the things to be ascertained, is whether Facebook was able to infer the answers of individuals and even link them to specific Facebook profiles. US Ninth Circuit Certifies Privacy Class …
