Presentation of reseach of GDPR enforcement practice, based on information of 86 cases, vailaible publicly. The event, where the research was presented, has taken place in Kyiv, Ukraine on October, 10, 2019.
After (self) studying all aspects of GDPR, we thought it was worthwhile making a summary which could be used to create awareness about the subject. Especially for my client employees.
The basic elements of GDPR put together in bullet points. This summary has many sources from many experts and official documents. Let DPIA and DPO not be an unknown for you.
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...Feroot
Join James Tumbridge, a lawyer with the specialist law firm Venner Shipley and one of the authors of the UK Data Protection Act 2018, and Ivan Tsarynny, CEO & Founder of Feroot Privacy, to discuss the unique data protection laws of EU jurisdictions and the potential impact regulations can have on your business operations, expansion plans and governance structure.
Topics for discussion include:
- Lessons learned from the courts, regulator inquiries and fines over the past year
- How to stay informed of current privacy regulations by learning about those who have been impacted already
- Significant trends in GDPR behaviours
- An overview of jurisdictional regulations & how to best prepare
- Key issues to keep in mind for governance, corporate structures and domiciles in data protection terms
After (self) studying all aspects of GDPR, we thought it was worthwhile making a summary which could be used to create awareness about the subject. Especially for my client employees.
The basic elements of GDPR put together in bullet points. This summary has many sources from many experts and official documents. Let DPIA and DPO not be an unknown for you.
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...Feroot
Join James Tumbridge, a lawyer with the specialist law firm Venner Shipley and one of the authors of the UK Data Protection Act 2018, and Ivan Tsarynny, CEO & Founder of Feroot Privacy, to discuss the unique data protection laws of EU jurisdictions and the potential impact regulations can have on your business operations, expansion plans and governance structure.
Topics for discussion include:
- Lessons learned from the courts, regulator inquiries and fines over the past year
- How to stay informed of current privacy regulations by learning about those who have been impacted already
- Significant trends in GDPR behaviours
- An overview of jurisdictional regulations & how to best prepare
- Key issues to keep in mind for governance, corporate structures and domiciles in data protection terms
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & MyanmarNguyen Hoa Binh (Bill)
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos, Myanmar
by Nguyen Hoa Binh
Partner, Patent Attorney
DAITIN & ASSOCIATES CO., LTD.
(IP Agent in Vietnam, Laos, Cambodia and Myanmar)
Ho Chi Minh City & Hanoi
No. 19 Hoang Dieu Str., District 4, Ho Chi Minh City, Vietnam
Postcode: 700000; Tel: +84-4-6270 0022; Fax: +84-4-6270 0020
Email: binh@daitin.com.vn; info@daitin.com.vn
Website: www.daitin.com.vn
A member of: INTA & APAA
Vlaamse Landmaatschappij reist voor miljoen euro wereld rondThierry Debels
De Vlaamse Landmaatschappij wil een raamovereenkomst dienstverlening voor internationale reizen EIP afsluiten. Het contract heeft een waarde van 1 miljoen euro en start begin 2019.
2012-Oct: Effect of EU cookie law on US organisationsPhil Pearce
This was a presentation from Oct-2012 on Effect of EU cookie law on US organisations.
Please also see my BlackHat Analytics V3 slides for more recent info: www.slideshare.net/phildpearce/blackhat-analytics-3-superweek-do-be-evil-force-awakens
NMBS besteedt 18,7 miljoen euro aan reclamebureauThierry Debels
De NMBS wil een contract ter waarde van 18,7 miljoen euro sluiten met een communicatiebureau. Bedoeling is gedurende 3 jaar (2020-2023) de communicatie te verzorgen.
Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...CINECAProject
Committed to the drafting of a Code of Conduct for the sector of health research according to Art. 40 GDPR, our initiative is advancing slowly but steadily. Throughout Europe, national jurisdictions differ to a great deal in their interpretations of the GDPR, especially in regard to its application in health research. This is due to some quite vague provisions (public interest, not incompatible clause) as wells as to numerous exemption/derogation clauses concerning the use of health data for research purposes, which encourage States to set up national rules – enhancing fragmentation. Notably, a Code of Conduct can help to bridge the harmonization gaps that may exist between Member States in their application of data protection law. On a practical level, a code is potentially a cost-effective method to achieve greater levels of consistency of protection as well as a mechanism to demonstrate compliance with the GDPR. By spring 2020, several hundred individuals representing around 90 organizations in the field of health research have indicated their interest and support for the Code of Conduct for Health Research. At this stage, this does not yet indicate an endorsement but means that they see a benefit in the development of such a code and are interested in partaking in the process. Additionally, several exchanges take place with national and sectoral codes in order to use synergies and finds ways for collaboration. This webinar is intended to inform you about the latest results.
The CINECA webinar series aims to discuss ways to address common challenges and share best practices in the field of cohort data analysis, as well as distribute CINECA project results. All CINECA webinars include an audience Q&A session during which attendees can ask questions and make suggestions. Please note that all webinars are recorded and available for posterior viewing. CINECA webinars include an audience Q&A session during which attendees can ask questions and make suggestions.
This webinar took place on 1st October 2020 and is part of the CINECA webinar series. It is best viewed in full screen mode using Google Chrome.
For previous and upcoming CINECA webinars see:
https://www.cineca-project.eu/webinars
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
This second output of the GIG focuses on the definition of Personal Data under the GDPR, explaining how it will affect companies in the online advertising space.
Report 2017 of EU on Cybercrime in BelgiumThierry Debels
'The budget set aside for combating cybercrime is insufficient in terms of resources and training, while there is an increased shortage of police staff.'
The Central and Eastern Europe countries are undergoing significant change as they accelerate to becoming digital economies. A key cornerstone for the region’s future economic success is the quality of its justice system. Investors will steer clear of societies who have anything less than a robust justice system. With increased mobility citizens will similarly vote with their feet.
• In mei 2018 wordt de nieuwe Europese privacywetgeving van kracht. De Algemene Verordening Gegevensbescherming is een geheel van regels om de gegevens van Europese burgers beter te beschermen. Deze regelgeving is ook van toepassing op verenigingen. We verwelkomen Karel Holst van het GDPR-experten kantoor IFORI die ons op een toegankelijke wijze wegwijs zal maken in deze complexe materie. Je mag je verwachten aan praktische tips en advies.
I.s.m. de adviesraden en Katrien Dossche.
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos & MyanmarNguyen Hoa Binh (Bill)
Patent, Trademark, Industrial Design in Vietnam, Cambodia, Laos, Myanmar
by Nguyen Hoa Binh
Partner, Patent Attorney
DAITIN & ASSOCIATES CO., LTD.
(IP Agent in Vietnam, Laos, Cambodia and Myanmar)
Ho Chi Minh City & Hanoi
No. 19 Hoang Dieu Str., District 4, Ho Chi Minh City, Vietnam
Postcode: 700000; Tel: +84-4-6270 0022; Fax: +84-4-6270 0020
Email: binh@daitin.com.vn; info@daitin.com.vn
Website: www.daitin.com.vn
A member of: INTA & APAA
Vlaamse Landmaatschappij reist voor miljoen euro wereld rondThierry Debels
De Vlaamse Landmaatschappij wil een raamovereenkomst dienstverlening voor internationale reizen EIP afsluiten. Het contract heeft een waarde van 1 miljoen euro en start begin 2019.
2012-Oct: Effect of EU cookie law on US organisationsPhil Pearce
This was a presentation from Oct-2012 on Effect of EU cookie law on US organisations.
Please also see my BlackHat Analytics V3 slides for more recent info: www.slideshare.net/phildpearce/blackhat-analytics-3-superweek-do-be-evil-force-awakens
NMBS besteedt 18,7 miljoen euro aan reclamebureauThierry Debels
De NMBS wil een contract ter waarde van 18,7 miljoen euro sluiten met een communicatiebureau. Bedoeling is gedurende 3 jaar (2020-2023) de communicatie te verzorgen.
Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems
CINECA webinar slides: Status Update Code of Conduct: Teaming up & Talking ab...CINECAProject
Committed to the drafting of a Code of Conduct for the sector of health research according to Art. 40 GDPR, our initiative is advancing slowly but steadily. Throughout Europe, national jurisdictions differ to a great deal in their interpretations of the GDPR, especially in regard to its application in health research. This is due to some quite vague provisions (public interest, not incompatible clause) as wells as to numerous exemption/derogation clauses concerning the use of health data for research purposes, which encourage States to set up national rules – enhancing fragmentation. Notably, a Code of Conduct can help to bridge the harmonization gaps that may exist between Member States in their application of data protection law. On a practical level, a code is potentially a cost-effective method to achieve greater levels of consistency of protection as well as a mechanism to demonstrate compliance with the GDPR. By spring 2020, several hundred individuals representing around 90 organizations in the field of health research have indicated their interest and support for the Code of Conduct for Health Research. At this stage, this does not yet indicate an endorsement but means that they see a benefit in the development of such a code and are interested in partaking in the process. Additionally, several exchanges take place with national and sectoral codes in order to use synergies and finds ways for collaboration. This webinar is intended to inform you about the latest results.
The CINECA webinar series aims to discuss ways to address common challenges and share best practices in the field of cohort data analysis, as well as distribute CINECA project results. All CINECA webinars include an audience Q&A session during which attendees can ask questions and make suggestions. Please note that all webinars are recorded and available for posterior viewing. CINECA webinars include an audience Q&A session during which attendees can ask questions and make suggestions.
This webinar took place on 1st October 2020 and is part of the CINECA webinar series. It is best viewed in full screen mode using Google Chrome.
For previous and upcoming CINECA webinars see:
https://www.cineca-project.eu/webinars
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
This second output of the GIG focuses on the definition of Personal Data under the GDPR, explaining how it will affect companies in the online advertising space.
Report 2017 of EU on Cybercrime in BelgiumThierry Debels
'The budget set aside for combating cybercrime is insufficient in terms of resources and training, while there is an increased shortage of police staff.'
The Central and Eastern Europe countries are undergoing significant change as they accelerate to becoming digital economies. A key cornerstone for the region’s future economic success is the quality of its justice system. Investors will steer clear of societies who have anything less than a robust justice system. With increased mobility citizens will similarly vote with their feet.
• In mei 2018 wordt de nieuwe Europese privacywetgeving van kracht. De Algemene Verordening Gegevensbescherming is een geheel van regels om de gegevens van Europese burgers beter te beschermen. Deze regelgeving is ook van toepassing op verenigingen. We verwelkomen Karel Holst van het GDPR-experten kantoor IFORI die ons op een toegankelijke wijze wegwijs zal maken in deze complexe materie. Je mag je verwachten aan praktische tips en advies.
I.s.m. de adviesraden en Katrien Dossche.
The conference will contextualise the changing regulatory landscape, considering the business impact of the GDPR and DPA (2018) and how it is changing policy and process in practice.
When GDPR came into force in May 2018 it significantly raised the bar of obligation and accountability, ensuring that all organisations who handle personal data adhere to strict regulations around privacy, security and consent. 18 months on from implementation, the conference will consider how data protection procedure has moved on, with insight from frontline practitioners reflecting on how practices within their organisation have changed.
The event will also provide an update from the regulator; exploring regulatory action policy, decision making for fines and penalties, and clarifying some of the most prominent areas of misconception and non-compliance.
Core conference topics include:
• Key legal issues and obligations
• Data security and encryption
• Privacy Impact Assessments
• Databases, data mapping and classification
• Privacy by design
• Practical strategy implementation
Amid mounting criticism of Ireland’s privacy watchdog, top European Commission official Didier Reynders has come to Dublin’s defense, brushing off calls to penalize the country over claims it has failed to uphold Europeans’ privacy rights.
The defense, in a letter to MEPs, comes after lawmakers including Sophie in ‘t Veld and Tineke Strik from the Netherlands and Cornelia Ernst and Birgit Sippel from Germany urged the EU executive to open a disciplinary procedure against Dublin.
On Wednesday 10th October, we hosted a panel discussion in Dublin Institute of Technology to look at GDPR’s impact so far, who is benefiting from it, how it is being implemented and why it should still be on marketers’ list of priorities. Here is the presentation from Robert Dunne, barrister specialising in data protection and employment law.
Presentation at Data protection in the Western Balkans and the Eastern Partnership Region. High-level exchange and learning week organised by SIGMA, GIZ, RCC and ReSPA.
EMEA Quarterly Update: GDPR Two Years LaterTrustArc
Before 25 May, 2020, the European Commission will present the first official evaluation of the GDPR, two years after the entry into application of the new regulation. The European Data Protection Board has given their view, as have the EU Member States. During this webinar, we will discuss the first lessons learned from the GDPR, including from the private sector.
In addition, as is custom during the quarterly updates, we will provide you with an overview of the new guidelines from the European Data Protection Board and enforcement action from the various supervisory authorities. In addition, we will take a look beyond the European Union’s borders at what is happening in the Middle East and Africa.
This webinar will review:
- The lessons learned in the first two years the GDPR has been in effect;
- The guidelines of the European Data Protection Board;
- The enforcement of the GDPR at national and European level;
- Data protection developments in Africa and the Middle East;
- How TrustArc can support you stay up-to-date on data protection and privacy compliance in the EMEA region.
Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Privacy and video surveillance: Advanced technology and best practices protec...Salvatore D'Agostino
Presentation with Antoinette King of Axis Communications, sponsored by the Security Industry Association and Security System News on the misunderstood and symbiotic relationship between privacy and security and video surveillance in particular.
Big tech companies hit with significant fines for data rule breaches in 2023, underlining the urgency of robust data protection. Don't risk your company's security.
Visit our website to enhance your cybersecurity and ensure compliance.
www.allendevaux.com
"Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar...e-SIDES.eu
The following presentation was given by Alessandro Bruni, Legal Researcher at KU Leuven, during the e-SIDES workshop "Towards Value-Centric Big Data" held on April 2, 2019 in Brussels.
United Kingdom GDPR Action Taken Against Canadian CompanyBarry Schuman
Recently, the UK Information Commissioner’s Office (“ICO”), a non-governmental public body which serves as the independent regulatory office concerning data protection, decided to take action in the form of an enforcement notice issued on July 6, 2018, against a non-European entity following a purported breach of the GDPR.
There are frameworks, that help to be prepared for whatever, being complex interconnected system in unpredictable environment. We tested some of them, being 22 years old Ukrainian entity meeting war, and share current outcome from frameworks implementation.
We are now in September 2020, and we are entering long-term consequences of global lock-down for our operation environment. Even if production itself is not affected directly, there are changes in supply chain; HR; markets accessibility, back-office processes, stakeholder relations, government relations. At the same time we are in 4th industrial revolution. And need not only to respond to growing number of requests, but also look in future.
Infographic, created from WEF publications on resilience - the ability to withstand, recover from, and reorganize in response to crises. Approach itself is an application of science of complexity to enterprise. Components, inherent to complex systems are highlited. Applying this, it`s necessary to take in account, that resilince is contradictory to efficiency, espesially on short time horison, but ensures survival and development in changing environment.
Cloud taxonomy and best practices - ISACA Kyiv event, 05.11.2019 Anastasiia Konoplova
Handouts of ISACA Kyiv event, 05.11.2019, "How works cloud services, which we use". Presentation incudes:
- basics of cloud services in current context,
- risks of cloud services orchestration from cloud auditor,
- references to sources, were best practices of cloud use can be found.
An argument for budget acceptance:ROSI and how to calculate itAnastasiia Konoplova
В презентації відображені фактори, що впливають на бюджет інформаційної безпеки (ІБ) у 2020 році, наданий приклад кількісної оцінки окупності інвестицій в ІБ та висвітлений підхід до впровадження кількісної оцінки ІБ в організації.
NIST Cloud computing taxonomy - UA translation by ISACA KYIVAnastasiia Konoplova
Волонтери Київського відділення ISACA (www.isaca.org.ua) за підтримки агенції перекладів Task Force (www.taskforce.ua) переклали цей документ в якості консультативного ресурсу з основ хмарних обчислень для фахівців із надання впевненості, корпоративного управління, управління ризиками та безпеки.
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Round table discussion of vector databases, unstructured data, ai, big data, real-time, robots and Milvus.
A lively discussion with NJ Gen AI Meetup Lead, Prasad and Procure.FYI's Co-Found
Analysis insight about a Flyball dog competition team's performanceroli9797
Insight of my analysis about a Flyball dog competition team's last year performance. Find more: https://github.com/rolandnagy-ds/flyball_race_analysis/tree/main
Learn SQL from basic queries to Advance queriesmanishkhaire30
Dive into the world of data analysis with our comprehensive guide on mastering SQL! This presentation offers a practical approach to learning SQL, focusing on real-world applications and hands-on practice. Whether you're a beginner or looking to sharpen your skills, this guide provides the tools you need to extract, analyze, and interpret data effectively.
Key Highlights:
Foundations of SQL: Understand the basics of SQL, including data retrieval, filtering, and aggregation.
Advanced Queries: Learn to craft complex queries to uncover deep insights from your data.
Data Trends and Patterns: Discover how to identify and interpret trends and patterns in your datasets.
Practical Examples: Follow step-by-step examples to apply SQL techniques in real-world scenarios.
Actionable Insights: Gain the skills to derive actionable insights that drive informed decision-making.
Join us on this journey to enhance your data analysis capabilities and unlock the full potential of SQL. Perfect for data enthusiasts, analysts, and anyone eager to harness the power of data!
#DataAnalysis #SQL #LearningSQL #DataInsights #DataScience #Analytics
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdfGetInData
Recently we have observed the rise of open-source Large Language Models (LLMs) that are community-driven or developed by the AI market leaders, such as Meta (Llama3), Databricks (DBRX) and Snowflake (Arctic). On the other hand, there is a growth in interest in specialized, carefully fine-tuned yet relatively small models that can efficiently assist programmers in day-to-day tasks. Finally, Retrieval-Augmented Generation (RAG) architectures have gained a lot of traction as the preferred approach for LLMs context and prompt augmentation for building conversational SQL data copilots, code copilots and chatbots.
In this presentation, we will show how we built upon these three concepts a robust Data Copilot that can help to democratize access to company data assets and boost performance of everyone working with data platforms.
Why do we need yet another (open-source ) Copilot?
How can we build one?
Architecture and evaluation
Adjusting OpenMP PageRank : SHORT REPORT / NOTESSubhajit Sahu
For massive graphs that fit in RAM, but not in GPU memory, it is possible to take
advantage of a shared memory system with multiple CPUs, each with multiple cores, to
accelerate pagerank computation. If the NUMA architecture of the system is properly taken
into account with good vertex partitioning, the speedup can be significant. To take steps in
this direction, experiments are conducted to implement pagerank in OpenMP using two
different approaches, uniform and hybrid. The uniform approach runs all primitives required
for pagerank in OpenMP mode (with multiple threads). On the other hand, the hybrid
approach runs certain primitives in sequential mode (i.e., sumAt, multiply).
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...John Andrews
SlideShare Description for "Chatty Kathy - UNC Bootcamp Final Project Presentation"
Title: Chatty Kathy: Enhancing Physical Activity Among Older Adults
Description:
Discover how Chatty Kathy, an innovative project developed at the UNC Bootcamp, aims to tackle the challenge of low physical activity among older adults. Our AI-driven solution uses peer interaction to boost and sustain exercise levels, significantly improving health outcomes. This presentation covers our problem statement, the rationale behind Chatty Kathy, synthetic data and persona creation, model performance metrics, a visual demonstration of the project, and potential future developments. Join us for an insightful Q&A session to explore the potential of this groundbreaking project.
Project Team: Jay Requarth, Jana Avery, John Andrews, Dr. Dick Davis II, Nee Buntoum, Nam Yeongjin & Mat Nicholas
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdfEnterprise Wired
In this guide, we'll explore the key considerations and features to look for when choosing a Trusted analytics platform that meets your organization's needs and delivers actionable intelligence you can trust.
Techniques to optimize the pagerank algorithm usually fall in two categories. One is to try reducing the work per iteration, and the other is to try reducing the number of iterations. These goals are often at odds with one another. Skipping computation on vertices which have already converged has the potential to save iteration time. Skipping in-identical vertices, with the same in-links, helps reduce duplicate computations and thus could help reduce iteration time. Road networks often have chains which can be short-circuited before pagerank computation to improve performance. Final ranks of chain nodes can be easily calculated. This could reduce both the iteration time, and the number of iterations. If a graph has no dangling nodes, pagerank of each strongly connected component can be computed in topological order. This could help reduce the iteration time, no. of iterations, and also enable multi-iteration concurrency in pagerank computation. The combination of all of the above methods is the STICD algorithm. [sticd] For dynamic graphs, unchanged components whose ranks are unaffected can be skipped altogether.
Adjusting primitives for graph : SHORT REPORT / NOTESSubhajit Sahu
Graph algorithms, like PageRank Compressed Sparse Row (CSR) is an adjacency-list based graph representation that is
Multiply with different modes (map)
1. Performance of sequential execution based vs OpenMP based vector multiply.
2. Comparing various launch configs for CUDA based vector multiply.
Sum with different storage types (reduce)
1. Performance of vector element sum using float vs bfloat16 as the storage type.
Sum with different modes (reduce)
1. Performance of sequential execution based vs OpenMP based vector element sum.
2. Performance of memcpy vs in-place based CUDA based vector element sum.
3. Comparing various launch configs for CUDA based vector element sum (memcpy).
4. Comparing various launch configs for CUDA based vector element sum (in-place).
Sum with in-place strategies of CUDA mode (reduce)
1. Comparing various launch configs for CUDA based vector element sum (in-place).
2. Acknowlegements
The author of this analysis, Anastasiia Konoplova, wish to thank
Irina Ivchenko, Kostyantyn Kulikov, Oleksii Mervinskiy for
contribution, subject matter discussion and support;
Oleksii Baranovskiy and CyberDn0 team for help with
organization of this event;
attendees of ISACA Kyiv chapter events for their questions and
inspiration.
2
3. GDPR – Where we are now?
http://www.eugdpr.org/the-regulation.html
Initial proposal
25.01.2012
Approved by
EP
27.04.2016
Full force
24.05.2016
Transition
period ended
25.05.2018
95180 complaints to
DPA
41502 data breach
notifications
255 investigations
3 fines, incl. Google,
€50 Mio
Data compromise in
top business risks
Jan 2019
Global
enforcement
Local
legislation
First finalized
investigations
Court
proceedings
No simple
recipes
Oct 2019
Rising
complexity
Rising
uncertainty
Future
https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf
Taken decisions
Hired/assigned DPO
Created/updated policies
Data mapping & risk assessment
Updated process design
Implemented information systems
Audits
Awareness programs
etc
Who will be the
next?
Are we ready?
3
4. Enforcement: Data challenges
Lack of trusted sources
Welter of information in media
Privacy enforcement more than GDPR enforcement
Different national legislations – and languages
Heterogeneous data, case-by-case approach
4
7. List of decisions of Hellenic DPA, Greece
Yearly report 2018 of UOOU, Czech Republic
Yearly report 2018 of Garante, Italy
Examples of sources for
validation
7
8. Data set
86 cases, 5 under
court proceedings
• 83 fines
• 3 other sanctions
Total fines
€ 372 911 936
• 98,7458% - TOP5
• Median € 10 000
Among sanctions:
reprimand,
warnings, service
ban
Fine in data set can
consist of GDPR
fine, local law fine,
procedural costs
Figures should be
understood as
illustrative
8
11. Among victims
Sensitive data
• Banking&finance
• Medical
• Public sector,
agencies,
municipalities
• Employers of any
sector
Large amount
• Media
• Tech&platforms
• Telecom
• Infrastructure
operators
Trade&B2C
services: cafe,
taxi, stores
Private
persons
11
12. Most expensive infringements*
*except of top-5
Please, note: classification of
infringements is tentative; several
articles are violated in most of cases
12
13. Top-5 of fines, facts
British Airways
€ 204 600 000, not
final
UNITED KINGDOM
08-07-19, since
09/2018
Art. 32 GDPR
Marriott
International,
Inc
€ 110 390 200, not
final
UNITED KINGDOM
09-07-19, since
11/2018
Art. 32 GDPR
Google Inc.
€ 50 000 000
FRANCE
21-01-19, since
05/2018
Art. 13 GDPR, Art.
14 GDPR, Art. 6
GDPR, Art. 4 nr. 11
GDPR, Art. 5 GDPR
National
Revenue
Agency
€ 2 600 000
BULGARIA
28-08-19
Art. 32 GDPR
Morele.net
€ 644 780
POLAND
10-09-19, since
11/2018
Art. 32 GDPR
13
14. Top-5 of fines, stories
British Airways
• XSS, 500 000
customers were
compromised
Incident possibly
started in June
2018, was notified
in September 2018
• link
Marriott International,
Inc
• Data breach,
notified to the ICO
in November 2018.
339 million guest
records globally
were exposed by
the incident. It is
believed the
vulnerability began
when the systems
of the Starwood
hotels group were
compromised in
2014. Marriott
subsequently
acquired Starwood
in 2016, but the
exposure of
customer
information was not
discovered until
2018.
link
Google Inc.
• The complaints
concerned the
creation of a
Google account
during the
configuration of a
mobile phone using
the Android
operating system.
The obtained
consents had not
been given
"specific" and not
"unambigous"
• link
National Revenue
Agency
• Data of 6 074 140
persons were
publicly available,
including contact
data along with
financial
declarations and
income data
• link
Morele.net
• Operations of 11
internet store
• 2 incidents, data
breach and few
services
compromised,
notified in 11/2018,
12/2018
• data of 2 200 000
customers were
possibly imposed
• Some clients
received SMS
informing them that
an additional fee of
PLN 1 was required
to complete the
order. The message
contained a link to a
fake DotPay
electronic payment
gateway.
• link
14
15. Illustrative cases
Data processor in
Poland
219 538 Euro processed data from public sources for commercial
purpose without consent and proper information
School in
Skellefteå, Sweden
18 630 Euro
consent, obtained from students was not a valid
legal basis given the clear imbalance between the
data subject and the controller
Telecom in Bulgaria 27 100 Euro repeated registration of prepaid services without
the knowledge and consent of the data subject
Merchant in
Belgium
10 000 Euro wanted to use eID to create a customer card
Private person in
Germany
2 000 Euro sent several e-mails with open mailing list (CC, not
BCC).
15
16. Illustrative cases - 1
Data processor in Poland
• the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000
people who were informed about the processing by the company, more than 12,000 objected to the processing
of their data.
• company processed the data subjects’ data obtained from publicly available sources, inter alia from the Central
Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The
authority verified incompliance with the information obligation in relation to natural persons conducting business
activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as
entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by
providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-
mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the
information obligation – as it explained in the course of the proceedings – due to high operational costs.
Therefore, it presented the information clause only on its website.
• In the opinion of the President of the Personal Data Protection Office, such action was insufficient – while having
the contact data to particular persons, the controller should have fulfilled the information obligation in relation to
them, that is it should have informed them inter alia on: their data, the source of their data, the purpose and the
period of the planned data processing, as well as the data subjects’ rights under the GDPR.
.
https://uodo.gov.pl/en/553/1009
16
17. Illustrative cases - 2
School in Skellefteå, Sweden
• A school in northern Sweden has conducted a pilot using facial recognition to
keep track of students’ attendance in school.
• The test run was conducted in one school class for a limited period of time.
• The school has processed sensitive biometric data unlawfully and failed to do
an adequate impact assessment including seeking prior consultation with the
Swedish DPA.
• The school has based the processing on consent but the Swedish DPA
considers that consent was not a valid legal basis given the clear imbalance
between the data subject and the controller.
.
https://www.datainspektionen.se/nyheter/sanktionsavgift-for-ansiktsigenkanning-i-skola/
17
18. Illustrative cases - 3
Telecom in Bulgaria
• Employees of the telecommunications provider have used
personal data and registered the complainant with the company's
prepaid service. The data subject had not signed the application
and had not consented to the processing of his personal data for
the stated purpose. There was also no other legal basis
applicable. The signature of the application and the complainant
own genuine application were not identical and the persons
personal identification number was indicated, but the identity card
number was not the complainants one.
.
https://www.cpdp.bg/?p=element_view&aid=2180
18
19. Illustrative cases - 4
Merchant in Belgium
• merchant wanted to use an electronic identity
card (eID) to create a customer card. The DPA's
investigation revealed that the merchant required
access to personal data located on the eID,
including the photo and barcode which is linked
to the data subject's identification number.
.
https://www.sudinfo.be/id141981/article/2019-09-19/un-commercant-recu-une-amende-de-10000-euros-pour-avoir-voulu-creer-une-carte-de
19
20. Illustrative cases - 5
Private person in Germany
• a private person who sent several e-mails between July and
September 2018, in which he used personal e-mail
addresses visible to all recipients, from which each recipient
could read countless other recipients. The man was
accused of ten offences between mid-July and the end of
July 2018. According to the authority's letter, between 131
and 153 personal mail addresses were identifiable in his
mailing list.
.
https://www.mz-web.de/merseburg/hunderte-adressen-im-verteiler-merseburger-muss-fuer-wut-mails-ueber-2-000-euro-zahlen-32033308
20
21. Insights from this analysis
If you have >1 000 000
customers, security
breaches are expensive
– and unavoidable
Privacy mindset, or
Principles first
Jurisdiction is REALLY
important
Think first BEFORE direct marketing
Think first before implementation of video surveillance, using of biometrics,
properly control blockchain and AI
21
22. Way to GDPR compliance
simple to say, hard to do
22
25. Privacy Mindset
Privacy is MORE important than your profit
Profit<Privacy<Common Wealth<National Security<Law<Human Life
2.2 9.2 11 13.4 14.5 17.3 20.3 22.2 23 27.2 30.5 …
GDPR, exemptions
https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf
25
26. Controller & Processor obligations
Data protection by
design and by default
Representatives of
controllers or
processors not
established in the
Union
Records of
processing
activities
Cooperation with
the supervisory
authority
Security of
processing
Notification of a
personal data breach
to the supervisory
authority
Communication of a
personal data
breach to the data
subject
Data protection
impact assessment
Designation of the
data protection officer
Codes of conduct
Articles 25-39
26
*Fines for violations of selected obligations were found in data set
27. Are we compliant?
Once implemented, does our compliance plan reflect privacy mindset?
Is this mindset properly articulated in the Code of Conduct?
Are adopted policies consistent and clear?
How can we confirm compliance with these policies?
How these policies are reflected in every day decisions of every employee?
…Is our culture lawful, fair and transparent?
Maturity
level
27
29. 29
Privacy by Design @ Software Development
• Privacy by Design is a combination of
- Privacy Assessment, SDLC for a software development stream
- Privacy Assessment, PMM for a project management stream
Secure
Development
Life Cycle
(SDLC)
Software
Development
Project
Management
Privacy
Assessment
Privacy
by
Design
Project
Management
Methodology
(PMM)