Privacy News 02/07/2021

Jul 9, 2021

European Union

Commission adopts positive UK adequacy decisions

The European Commission announced, on 28 June 2021, that it had adopted two adequacy decisions for the United Kingdom, one under the GDPR and one under the Data Protection Directive with respect to Law Enforcement.

The Commission highlighted that, among other decisive factors, the UK’s data protection system continues to be based on the same rules that were applicable when the UK was a member of the EU, and the UK has fully incorporated the principles, rights, and obligations of the GDPR and the Directive into its post-Brexit legal system.

You can read the press release here, the GDPR adequacy decision here, and the Directive adequacy decision here.


ENISA issues cybersecurity recommandations for SMES

 The ENISA announced, on 28 June 2021, that it had issued a report with recommendations on the cybersecurity challenges faced by SMEs, as well as a cybersecurity guide.

The report aims to provide advice for SMEs to successfully cope with cybersecurity challenges, especially those resulting from the COVID-19 pandemic. It highlights that as a result of challenges created by the pandemic, many SMEs have turned to new technologies to maintain their business, but have often failed to increase their security in relation to these new systems.

Specifically, the report identifies the following cyber risks for SMEs :

  1. Phishing attacks;
  2. Web-based attacks;
  3. General malware;
  4. Malicious insider;
  5. Denial of service.

The report also reveals a number of operational issues faced by SMEs (such as low awareness of cyber threats, inadequate protection for sensitive information…).

In order to address these challenges, the ENISA recommends several measures, which fall into three categories:

  • people-based measures:
    • measures relating to responsibility;
    • employee buy-in and awareness;
    • cybersecurity training and cybersecurity policies; 
    • third party management in relation to confidential and/or sensitive information; and
  • process-based measures:
    •  measures relating to monitoring internal business processes;
    • performing audits;
    • incident planning and response;
    • passwords;
    • software patches; and
  • data protection and technical measures:
    • measures relating to network security;
    • anti-virus;
    • encryption;
    • security monitoring;
    • physical security; and
    • securing of backups.

You can read the report here, and the guide here


National Authorities

Spain: AEPD publishes new risk management and DPIA guide

The AEPD published, on 29 June 2021, a new guide on risk management and carrying out a DPIA, comprising interpretations of the AEPD, EDPB and EDPS.

The guide is aimed at data controllers, processors and DPO assisting in compliance with data protection regulation, and is applicable to any processing.

Alongside the guide, the AEPD has presented its “Evaluate-Risk GDPR” tool, which helps data controllers and processors identify the risks to the rights and freedom of the interested parties, make a first assesment of the risk, including the need to carry out a DPIA, and estimate the residual risk if measures and guarantees are used to mitigate the risks.

You can read the guide here, and access the tool here, only available in Spanish.


France : CNIL releases version 3.0 of its PIA Tool

The CNIL released, on 30 June 2021, version 3.0 of its PIA tool.

The updated tool allows, among other things, users to:

  • personalise knowledge bases within the tool;
  • centralise processing activities related to their PIA within the tool;
  • categorise entries; and
  • access a step-by-step tutorial on how to use the PIA tool.

In addition, CNIL updated their FAQs for the PIA tool to cover the update.

You can read the press release here and the FAQs on the PIA tool page here, both only available in French.