Data Protection News Jan 2020

Q4 2019 Round-up of Data Breaches and ICO Fines
Key data protection dates in January
Brazil’s General Data Protection Law
2019 Statistics
January 28 2020

Key Dates

As we move into 2020 it is worth highlighting 2 key dates in January:

1st January 2020 is the official start date of the new data protection legislation – the California Consumer Privacy Act (CCPA). If your organisation handles the data of US consumers, ensure you are aware of this new legislation and what it means for you.

28th January 2020 is International Data Privacy Day! Consider making this as a day within your company to coordinate comms and awareness. Encourage employees to put aside some time to check their own compliance activities – that data is being held in line with retention rules, to review the latest policies or training and review records of processing activity.

Data Breaches

The number of Data Breaches reported in the media during Q4 was 117, with the number of estimated records breached being 2.2 billion. The biggest global breaches from Q4 were:

  • Lightinthebox – 1.6 Billion shopper records exposed for 3 months
  • People Data Labs and implicated in massive data breach with 1.2 billion people affected
  • Airtel, an Indian network provider exposed 300 million users information due to a bug

ICO Fines

Continuing the trend of low fines in 2019, Q4 saw only 1 fine being issued by the ICO.

The recipient was Doorstep Dispensaree, who were fined £275,000 for leaving 50,000 patent records in an unsecured cabinet.

For more detailed information about ICO fines:

GDPR Fines

GDPR fines across Europe are starting to increase in number and value. In Q4 2019 there were 71 fines, including:

  • €18 Million fine in Austria to the Austrian post
  • €14.5 Million in Germany against Deutsche Wohnen
  • €9.5 Million, also in Germany, issued to a telecoms company
2019 Statistics
15 billion records leaked globally

519 reported data breaches

401 Reported Cyber and Ransomware attacks

£2 Million in ICO penalties issued

161 GDPR fines across Europe

€104 Million in fines issued across Europe with €314 Million of fines pending, depending on appeal

Brazil General Data Protection Law (LGPD)

After almost 10 years in the making, the new Brazilian Data Protection Legislation takes effect in August 2020, 6 months later than the initial date of February. These laws have been influenced by the GDPR and as such there are many similarities.

  • Like GDPR, LGPD applies to controllers based in Brazil and any trans-border processing of data about Brazilian citizens
  • LGPD has a set of core principles and lawful bases for processing
  • Data Subject Rights – LGPD includes the right of access, rectification, cancellation or exclusion, and portability
  • Both controllers and processors are obliged to maintain records of processing and conduct privacy impact assessments
  • Data breaches must now be reported to the National Data Protection Authority
  • The LGPD mandates the appointment of Data Protection Officers
  • International data transfers are only allowable based on adequacy or other acceptable safeguards
  • The maximum fines are 2% of gross turnover or 50 million reals (€11 Million)

However, there are also some key differences between the 2 sets of legislation.

  • Regarding the DPO role, the LGPD makes it mandatory for all data controllers. There are no exceptions for smaller organisations, or those where processing data is not a core activity
  • Subject requests must be responded to in 15 days, rather than 30 days
  • There are 10 principles and 10 lawful bases which provides some additions to what is stated within GDPR. Examples are the principle of non-discrimination and lawful bases such as the protection of credit and the protection of health
  • Unlike the GDPR, LGPD does not specifically address electronic marketing which is covered by Consumer Protection code – the country’s main law regulating advertising

This legislation is another in a long line of new Data Protection Laws being developed in this continuing trend. There are now renowned names in the tech industry calling for data privacy to be considered a basic human right.