Briefing

The European Union’s data protection regulators have decided to significantly increase General Data Protection Regulation (GDPR) enforcement cooperation. In April 2022, the regulators published the Vienna Statement on Enforcement Cooperation. In May 2022, the European Data Protection Board (EDPB) published Guidelines 04/2022 on the calculation of administrative fines under the GDPR. The EDPB opened a period of consultation.  Since GDPR came into force in 2018, EU GDPR regulators have developed their own enforcement strategies, investigation thresholds and methodologies for calculating and imposing fines. Many of these were unpublished. As GDPR regulators began to deal with cross-border investigations and complaints, differences in approach began to strain co-operation.  Greater unity and clarity on fines and calculation methods will create more transparency for data controllers, processors, supply chains and individuals. It also helps EU GDPR regulators to practically deal with the same cases in similar ways, which builds trust and confidence.

EU GDPR Fine Rules and New EDPB Guidelines 2022       

The GDPR is clear that the calculation of fines is left to the discretion of each EU GDPR regulator, in line with the law. Each fine must be effective, proportionate and dissuasive. Data protection regulators must consider the circumstances relevant to the infringement, such as its seriousness or consider the character of the perpetrator. The level of the fine should not exceed the maximum amounts listed in the GDPR of €10,000,000 or 2% of worldwide annual turnover (whichever is higher) and €20,000,000 or 4% of worldwide annual turnover (whichever is higher). Each fine must be specific to that case and be calculated according to the elements set out in the GDPR.

In May 2022, the EDPB published the following five-step methodology for calculating GDPR fines. It aims to build on the GDPR’s rules but also expand the types and levels of analysis to improve transparency, accountability and enforcement cooperation between the EU’s data protection regulators. The Guidelines cover EU cross border cases and non-cross border cases.

Step 1 Identify the processing operations in the case and evaluate the application of GDPR Article 83(3).
Step 2 Find the starting point for further calculation based on an evaluation of:
a) the classification in GDPR Article 83(4)–(6);
b) the seriousness of the infringement based on GDPR Article 83(2)(a), (b) and (g);
c) the turnover of the organisation as one relevant element to take into consideration in order to impose an effective, dissuasive and proportionate fine, in line with GDPR Article 83(1).
Step 3 Evaluate aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increase or decrease the fine accordingly.
Step 4 Identify the relevant legal maximums for the different processing operations. Increases applied in previous or later steps cannot exceed this amount.
Step 5 Analyse whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by GDPR Article 83(1) GDPR, and increase or decrease the fine accordingly.

The EDPB Guidelines state that the calculation of GDPR fines should not be a mere mathematical exercise. The circumstances of each specific case will ultimately determine the final amount between any minimum and the legal maximum. These Guidelines are intended to help EU data protection regulators consistently apply and enforce the GDPR and set out the EDPB’s common understanding of the rules in the GDPR.  The Guidelines also aim to create harmonised starting points and shared methodology for all EU GDPR regulators, but not necessarily harmonised outcomes. The Guidelines apply to all sorts of private sector controllers and processors and extend to the public services, in so far as, national member state laws allow.

High GDPR Fine Patterns Since 2018

Together with the power to stop or suspend data processing, the power under the GDPR to issue 2% or 4% fines of annual worldwide turnover are powerful enforcement tools. GDPR fines vary greatly. The highest fines announced have been Amazon (€746 million) in Luxembourg, Facebook: WhatsApp (€225 million) In Ireland, H&M  (€35 million) by Hamburg in Germany,  TIM (€27.8 million) in Italy, British Airways (€22 million) in the UK , Clearview AI (€20 million) in Italy, Caixabank (€6 million), The Dutch Tax and Customs Administration (€3.7 million) in the Netherlands, National Revenue Agency (€2.6 million) in Bulgaria. These fines were issued largely using each regulator’s own internal and unpublished methodologies and analysis, guided by their interpretation of the law.  Several GDPR fines have been challenged in courts and have been upheld. A few of the fine amounts have been reduced.

GDPR Fines Guidance in the Netherlands, Germany and the UK

In 2019, the Dutch data protection regulator, published GDPR fines guidance for companies and government organisations. The guidance emphasised the organisation’s revenue stream as being a key factor in the final fine, to be considered at the final stage of the calculation. In 2019, Germany’s data protection authorities published a concept paper on methods for calculating GDPR fines for companies. The concept paper focused on turnover, with a detailed methodology. This approach has not proved sustainable and has been challenged. In 2020, the UK data protection regulator published draft guidance setting out four categories of culpability, included the organisation’s turnover and proposed fine reductions to encourage early payment. Post-Brexit, the UK GDPR draft fine guidance was updated, simplified  and received consultation responses in 2022.

Future EU GDPR Fines: Looking Ahead

These EDPB Guidelines are likely to change with consultation and over time. Businesses and organisations will be better able to understand the important elements that make up a GDPR fine. The themes of proportionality, transparency and EU enforcement interoperability now appear to be the driving forces in EU GDPR financial penalty calculations. It is unclear whether this will encourage or discourage appeals against the amount and calculation methods of GDPR fines. However, it is important to remember that these are guidelines. Each EU data protection regulator has scope to decide how much of the guidelines to apply in each case.  The ability of EU data protection regulators to issue dissuasive or exceptional fines remains. The decision-making autonomy of each regulator, on a case by case basis, continues to operate.

For assistance with EU/UK GDPR compliance, data protection regulatory investigations, GDPR enforcement support, data breach response and our Legal & Regulatory Support services, contact Privacy Solved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS062022

Briefing

Globally, at any given time, there are international, economic or trade sanctions in place that directly affect countries, sectors, businesses, organisations and individuals. The world is interconnected in terms of trade, investment, financial flows, debt repayments and just-in-time supply chains. Sanctions are often underpinned by laws with criminal and civil penalties. Russia’s annexation of Crimea in 2014 and its subsequent invasion and war in Ukraine in 2022, has led to an unprecedented level of international, coordinated and punishing sanctions against Russia. Its political system, leaders, parliament, central bank, key sectors, businesses, influential individuals and its uber-rich citizens called oligarchs have all been targeted. Currently, significant sanctions are in place against Russia, Belarus, Iran, North Korea, Syria, Myanmar, Venezuela and Cuba. The European Union, China and the United States have imposed a range of unilateral trade sanctions between themselves, in recent years, to protect several of their strategic sectors. Sanctions directly affect confidence, investment, trade and international data flows. After sanctions are imposed, the data flows to and from sanctioned parties must be scrutinised for lawfulness, human rights compliance and for fit with an organisation’s Environmental, Social and Governance (ESG) position.

Types of Sanctions

International sanctions are political and economic decisions, made through diplomatic efforts by countries, multilateral or regional entities against states and organisations to protect international law, national security and to defend against threats to international peace and security. These sanctions are normally put in place by the United Nations (UN), or by countries working in consultation with the UN. These decisions include temporary restrictions or blocks on economic, trade, diplomatic, cultural, environmental and other restrictions. Sanction measures are lifted when the issues that led to the restrictions ends or the situation changes. Often, sanctions are given their primary functional title, such as diplomatic sanctions or economic sanctions. Sanctions remain the international community’s most powerful peaceful actions to prevent or respond to threats to international peace and security. Increasingly, unilateral sanctions can be imposed by a country on another nation to further its strategic interests via strong economic pressure through economic, trade or diplomatic activities.  Breaching sanctions deliberately or inadvertently can lead to criminal or civil penalties. Assisting a sanctioned entity or an individual to evade sanctions can also lead to severe consequences for all involved.

Lawfulness and Fairness in Data Flows

A key principle in international data governance, data protection laws and in modern data privacy analysis is that the processing of personal data, personal information and personally identifiable information must always be done lawfully and fairly. Lawful means that the activity should not breach civil or criminal laws, directly or indirectly. Fairness is a wide concept and includes, equity between the parties, respect for natural law, upholding fundamental rights, human rights protection, substantive fairness and fairness in processes. The principle of fairness discourages the sharing of personal data and personal information for covert purposes, or by tricks, deception, obfuscation, online dark patterns or via the misuse of language. Fairness considerations can also protect individuals with special or protected characteristics such as age (young and old), disability, ethnic origins or nationality.

The EU’s General Data Protection Regulation (GDPR) requires transparency and accountability in data flows. China’s Personal Information Protection Law (PIPL) and Brazil’s Data Protection Law (LGPD) contains a fundamental principle that all parties should act in “good faith” when they collect, use, share or store personal information. The flow of personal data to sanctioned countries, sectors, businesses, organisations, groups or individuals can conflict with lawfulness, fairness, transparency, accountability and good faith requirements. Companies and organisations should ensure that they do not breach these principles when dealing with sanctioned entities and individuals. These breaches of data protection and data privacy rules could lead to investigations, reprimands, administrative fines, third-party actions, other enforcement action or legal (court) action.

International Personal Data Transfer Risk Assessments

Aware that the transfer and sharing of personal data to some foreign countries can put individuals at risk, breach national laws and cause other harms, European regulators such as the European Data Protection Board (EDPB) and the European Commission have led the way in developing data Transfer Impact Assessments (TIAs). In the UK, these are often called Transfer Risk Assessments (TRAs). These assessments seek to evaluate a wide range of information to assess the risks to individuals and personal data flows. These also assess the level of compliance with the GDPR and other laws, in recipient countries or organisations. Considerations includes the types of data, types of data subjects (individuals), the sectors, the purpose of the data transfer and the transfer methods proposed. The technical and organisational systems in place to secure the data transfers, the list of countries the personal data will pass through and the possibility of onward transfers to third or fourth countries are also crucial considerations.  In this process, identifying sanctioned countries, organisations and individuals could be crucial to the sender’s corporate risk, insurance cover, legal compliance and liability.

Crucially, these data transfer assessments also aim to evaluate the receiving country’s human rights record, its legal system, its courts and how foreign judgments are recognised. The laws relating to third-party access to data, including by government bodies and the security and intelligence services are also reviewed.

For a sanctioned country, organisation, sector or individual, these assessed factors will be influenced by the existence of sanctions. A country’s human rights record that led to international sanctions could make in-coming international data transfers high risk, unlawful or unfair. Both the human rights record and the specific sanctions restrictions could prove to be problematic or prohibitive. If a country’s political system requires that all data centres and internet traffic are scanned for political purposes, this could make the data transfer high-risk, needing additional technological safeguards such as data minimisation, pseudonymisation or anonymisation to reduce the data protection risks. Sanctions may also prohibit certain economic activities or sector-specific trading, and so the sharing of personal data to facilitate these activities, directly or indirectly could breach the sanction measures. Sanctions could target government or military organisations. This is the case in the sanction measures against Myanmar. Identifying true beneficial ownership is crucial. However, it is often difficult to clearly identify all government-directed, military-supported, government owned and backed organisations. The work of transferring personal data to sanctioned countries, entities or individuals is difficult and it can be a dynamic fast-moving environment.

Steps to Better Environmental, Social, Governance (ESG) and Compliance

The following steps will help businesses, organisations, governments and public sector bodies to better navigate the international personal data flows affected by sanctions regimes.

(A) Monitoring Sanctions Lists, in all relevant territories, should be a high priority. This should be done regularly, part of business as usual processes. These lists should also be consulted during supplier and partner due diligence and when a key organisation, in the existing supply chain, changes its ownership, size or composition. Experts that understand the full intent, meaning and implications of sanctions on data and personal data flows should be consulted.

(B) Registers of Processing Activities (ROPAs) should be properly maintained, reviewed and updated by companies and organisationsthat fall within the scope of the EU’s GDPR or similar laws in the UK, Brazil, China and the UAE. A ROPA can help to answer important preliminary questions such as the level of exposure to a sanctioned country, company, organisation, sector or individual. It can also be used to highlight, at least broadly, which countries sends and receives which types of personal data and the intended purposes.

(C) Contractual agreements are important governance tools when dealing with sanctions. Contracts are widely used to facilitate trade and transfer personal data around the world. These include international data transfer agreements, data protection Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) and various types of data processing agreements. Sanctions could make these agreements voidable, void or otherwise untenable. Parties could be forced to trigger the frustration or force majeure clauses, which could lead to contract termination and remove existing duties to perform the contract. Signing agreements that undermine or conflict with sanctions, after sanctions have been imposed, could breach criminal and civil laws. Detailed legal advice and care should be taken when parties seek to deliberately contract in ways that aim to stay within the legal limits of transferring personal data to sanctioned countries, businesses, entities and individuals.

(D) Systematic Supply Chain Reviews are important, especially detailed periodic reviews. Companies and organisations could be subject to criminal and civil liability if they take steps to evade or help other parties to avoid sanctions. Work should be done to ensure that substitute suppliers and third parties are not simply re-routing goods, services and data to sanctioned countries, businesses, organisations and individuals.Mergers and acquisition activity should be monitored as well as the unusual creation of offshore companies, holding companies, subsidiaries, branches and other formalised attempts to disguise the true beneficial owners of legal entities and assets.

(E) Anti-Money Laundering (AML) and Know Your Customer (KYC) Procedures should be upgraded. This is crucial in order to respond to the personal data risks associated with sanctioned countries, businesses, organisations and individuals. The use of cryptocurrencies, speciality blockchains, non-fungible tokens (NFTs), unexplained venture capital funds, aggressive modern art market investments, cybercrime and any involvement in the ransomware ecosystem, should be fully investigated.

PrivacySolved has many years of expertise in global data protection, data privacy, international data transfers and Environmental, Social and Governance (ESG) activities, including work with key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS032022

Briefing

The EU’s General Data Protection Regulation Data Protection Officer (GDPR DPO) role has been specifically crafted. Before the GDPR, Data Protection Officers (DPOs) existed because of a range of national laws, guidance and best practice. Globally, related roles such as Chief Privacy Officers, Privacy Officers, Heads of Data Protection, Data Protection Lead Counsels, Data Guardians and Data Governance Leads have also developed. However, GDPR DPOs have a clearer legal mandate, function and licence to operate. For the largest companies and organisations, subject to several data protection laws, they must decide how much the GDPR DPO role will influence the overall structure and substance of their global data privacy programmes. The danger is that the fundamental and unique elements of the GDPR DPO role can become trapped in governance systems that prioritise uniformity, efficiency, base-level interoperability and the lowest common denominator. It is important that the GDPR DPO role remains distinct, effective, influential and accountable.

Benefits and Risks: Appointing and Not Appointing a GDPR DPO

Not all businesses and organisations are legally required to appoint GDPR DPOs. Before GDPR, most DPOs were regarded as good practice appointments, where there was no clear legal duty to do so. This practice has continued through GDPR implementation. The GDPR is clear that both Data Controllers and Data Processors should appoint GDPR DPOs, in line with the law. Broadly, all public authorities and non-judicial public bodies must appoint GDPR DPOs. They are also legally required where any organisation regularly and systematically monitors individuals on a large scale or carries out large-scale processing of special categories of personal data or criminal offences data. Most organisations, especially larger ones, fall within these two latter categories. Where the law requires a GDPR DPO, one must be appointed, or risk breaching the GDPR. DPO appointments also encourage data governance accountability.

Questions arise for small Data Processors or the Data Controllers that do not meet the GDPR DPO threshold tests. Should they appoint a GDPR-type DPO? If they do so, should the DPO be fully GDPR-compliant, or can the organisation create its own unique DPO role?  European Data Protection Board (EDPB) Guidance states that if organisations adopt a GDPR DPO, even where they are not legally obliged to do so, that DPO will be judged against the full legal requirements of GDPR. Choosing not to have an identifiable GDPR DPO is also risky. The organisation will lack capacity to build and mature data protection programmes. Working with larger data-intensive organisations, liaising with GDPR regulators, responding to data breaches and keeping up to date with data protection, cybersecurity and good practice changes, will also be more difficult.

Managing Great Expectations

The GDPR DPO can be an internal employed member of staff or an external appointment. The office holder must be well qualified, well resourced, independent and act independently. They may fulfil another role in their organisation but must avoid conflicts of interest. For example, they must not make specific data processing decisions and then provide assurance or GDPR compliance sign-off for that data processing activity. They must act autonomously and cooperate with the GDPR regulator.  They must have tangible influence by reporting to the highest level of management. Conversely, they must also be accessible and contactable by staff inside the organisation, external individuals, external stakeholders and GDPR regulators. They must also not be disciplined, removed or suffer other detriment because of performing their role and duties.

The GDPR DPO’s baseline outputs are to inform and advise. They must monitor compliance, which includes involvement in promoting awareness training, assigning responsibilities and audits. The GDPR DPO should provide advice for Data Protection Impact Assessments (DPIAs). They must cooperate with and act as the point of contact for the GDPR regulator. Although not an explicit legal requirement, GDPR regulators expect DPOs to be involved in offering information and advice on decisions to report data breaches to the regulators and to individuals affected. GDPR DPOs are not responsible for GDPR compliance; this always remains the legal responsibility of the Data Controller or Data Processor.

DPOs in Reality: Details Matter

Despite the clear legal requirements, regulatory guidance and established best practice, some businesses and organisations have kept legacy data governance structures and pre-GDPR DPO reporting lines. Much of this may be a result of corporate or organisational inertia. For other organisations, whose business models prefer low or no regulation, the GDPR DPO role can often be minimised or an external law firm is used to provide legal advice from time to time. No organisational or culture change in data governance is anticipated. The GDPR DPO requirement challenges organisation power-centres and leadership cliques. It requires boards to work closely with a board outsider, who is legally obliged to act independently and respond to an external regulator, if and as required. It also challenges business cultures that regard regulatory compliance as interfering, anti-innovation and bureaucratic, because the GDPR DPO must monitor compliance and report to the highest level of management.  Often, in these organisations, the selected DPO is a middle-manager with limited influence, little direct budget and few resources. The DPO is not seen as a coveted role for inward or outward career progression. The DPO is located far from senior leadership and the centres of power. The GDPR DPO role is also a challenge to organisations that are opaque, siloed and do not actively promote transparency and accountability.

In some organisations, the DPO is seen as an arms-length advisor, a person to go to for an opinion. DPOs are only permitted to become involved in a matter after business and data-use decisions have been finalised and their role is to offer a view, for the record, which may not influence on the decisions already made. The aim, in these organisations, is to evidence that they have an established process for DPO involvement. Data Protection by Design and Default as well as high quality iterative Data Protection Impact Assessments (DPIAs) are rare and the ones completed are often superficial. In some organisations, a very senior person with an existing substantial role is appointed as the DPO. The real work is done by a far more junior Data Protection Manager and a small team. This senior person does not have the expertise, proximity to the data processing or the ability to spot data protection issues and so other senior employees see data protection as a non-demanding adjunct activity. For other businesses, using external or outsourced DPOs can be an effective way of freeing data governance from corporate apathy, internal factions and to ensure a level of detached independent expert analysis. The challenge for these organisations is to agree enough funding for these services and to provide effective internal support systems for the external or outsourced DPO. High quality internal access by the DPO to fully understand the organisation and to ensure that the DPO’s outputs are respected and actioned, are vital for this approach to be effective.

What the GDPR Regulators say about DPOs

The EU’s data protection regulators have started to investigate and enforce the GDPR DPO requirements. They have restated and emphasised the legal duties and issued fines to businesses and organisations that have not met the legal requirements of the role. Most of the enforcement decisions have been in Belgium, Germany, Spain, Greece, Luxembourg and Austria and were about the failure to appoint DPOs.  In 2020, the Belgian Data Protection Authority, Autorité de protection des données Gegevensbeschermingsautoriteit (APD-GBA), fined a company for its DPO’s lack of independence because the DPO had other roles in the organisation. There was no system to prevent conflicts of interest and the DPO was not sufficiently involved in the processing of personal data breaches.

In a series of cases in 2021, the Luxembourg Data Protection Authority, Commission Nationale pour la Protection des Données (CNPD), issued fines against five companies for DPOs not reporting to the highest level of the organisation (two levels of hierarchy were in between), insufficient resources to fulfil the role and not including the DPO in all data processing matters. CNPD also fined an organisation for not properly training the DPO so that they could independently and properly advise and inform the organisation. They also found that a DPO lacked enough autonomy. CNPD found common themes, such as Data Controllers not having control plans to ensure that the DPO’s duties were being properly performed.

The legal position on the role of the GDPR DPO is clear. Data Controllers and Data Processors cannot argue lack of knowledge, unclear legal interpretation or uncertainty, when their DPOs and other GDPR accountability and transparency efforts are judged and put to the test.

PrivacySolved offers External and Special Projects Data Protection Officers, as well as Data Protection Officer as a Service (DPOaaS). We also offer international businesses and organisations EU and UK Data Protection Representative Services. Contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS022022

PrivacySolved is a proud member of Cyber Ireland, Ireland’s Cyber Security cluster. PrivacySolved x Cyber Ireland celebrates Cyber Ireland’s First Annual  Conference in October 2021, marks European Cybersecurity Month #CyberSecMonth and highlights the annual Cybersecurity Awareness Month #CybersecurityAwarenessMonth. Published below is a collection of trusted information security resources, cybersecurity insights and tools to inform Ireland’s security ecosystem and community. This information is also very useful for our partners, friends and colleagues around the world. We are all connected.

Cybersecurity Insights

Cybersecurity: Focus on Ireland’s National Cyber Strategy

Cybersecurity and Cyber Resilience in the Fintech Sector

The Ransomware Problem: Board and Leadership Priorities

Cybersecurity: Key Data Security Sources for Surviving Covid-19

Coronavirus Covid-19 and the Future of Cybersecurity

Data Breach Reporting Guidance and Tools

Data Protection Commission Ireland

National Cyber Security Centre (Ireland)

Information Commissioner’s Office UK

National Cyber Security Centre (UK)

ENISA: Personal Data Breach Notification Tool

Europol and European Cybercrime Centre (EC3)

CISA: Stop Ransomware (USA)

Essential Online Resources

European Union Agency for Cybersecurity (ENISA)

Cybersecurity and Infrastructure Security Agency (CISA)

USCERT

Federal Bureau of Investigations (FBI)

Australian Cyber Security Centre

Canadian Centre for Cyber Security

National Cyber Security Centre (Netherlands)

National Cyber Security Centre (New Zealand)

The National Cybersecurity Agency of France

Cyber Security Agency of Singapore

BCS, The Chartered Institute for IT

SANS Institute

ISACA

(ISC)2

Video

Briefing

The global coronavirus pandemic has become far more than an international public health issue. The effect of Covid-19 on economic life, employment, politics, social interaction and the environment is wide-ranging and evolving. Work and travel have become the testing ground for countries and communities to prove their resilience and ability to bounce back. Vaccine passports and vaccine certificates allow vaccinated people to gain re-entry to the workplace, social spaces and travel. These certificates can appear as software applications, paper certificates, official stamps, Barcodes, Quick Response (QR) Codes and verifiable tokens. Technology has led the way in providing vaccine confirmation solutions and the data collected and stored are seen as crucial to effectiveness and an evidence-based approach. The use of vaccine passports for employment and travel raises complex issues and require full consideration of the law, public policy, public health, political priorities, human rights, economic considerations and social norms. These considerations directly impact trust, effectiveness and safety.

Focussing on the Key Data Protection Principles

The EU’s General Data Protection Regulation (GDPR) is a useful tool to analyse and balance the competing priorities of vaccine passports and certificates. As a legal and policy framework, the GDPR does not provide all the answers. A focus on Article 5 of the GDPR, however, can be used to identify the most important issues, agree priority outcomes, highlight information governance gaps, introduce ethical data use ideas and apply a risk-based approach to data collection and use.

Much of the information in Covid-19 data systems and vaccine passport databases will be special categories of personal data, such as information about physical and mental health, sexual life, sexual orientation, race or ethnic origin, religious or philosophical beliefs, genetic data and biometric data. These systems carry out high risk data processing, which is further complicated by also using other data such as geolocation data, financial information, name, address, date of birth, workplace address and details about family members.

For Limited Purposes

An important GDPR principle is that personal data should be collected for identifiable and limited purposes. Purposes should be clearly identified at start of data collection and follow through the life cycle of the project. Data collected for vaccine passports and Covid-19 status certificates can be attractive for a range of secondary uses, which may arise in the future. However, those collecting personal data should be cautious in sharing the information with parties that are not identified at the start of the data collection or are not compatible with the stated purposes. Vaccine passports and certificates give and confirm information about moments in time. Using this information for other purposes, in the future, could offer limited benefits when compared to the risks.

Lawful, Fair and Transparent

The use of personal data should be lawful, fair and transparent. The data processing involved in vaccine passports should be clearly understood by users and those who can be identified from the personal data collected. This simple principle can be neglected if the data project is rushed, the data use remains partially undefined, the system is a black box artificial intelligence system, machine learning is used without clear limits and ownership of the data system is divided among many parties with competing or vastly different interests.  These concepts are key to a data protection by design approach. Fairness is also about the necessity and proportionality of the data collection and use, as well as whether these meet the legitimate expectations of the individuals involved.

Accuracy

Personal data used should be accurate and kept up to date. Personal data should also be as accurate as possible at collection and high levels of data quality maintained. Covid-19 vaccines varying in both efficacy and effectiveness. Covid-19 status certificates, lateral-flow tests and other testing also vary in data quality. The accuracy question is about what the data says, when the data are collected and what effect the information has on both the individual and the Covid-19 data system. Accuracy changes with time and with adding or subtracting data from a data set. Accuracy also depends on who will access and read the personal data and the intended uses of the data. Accuracy is protected by both organisational methods (such as training) and technical systems.

Data Minimisation

Covid-19 data systems and vaccine passports should use the minimum personal data necessary to fulfil the stated purposes. This can be difficult, because stakeholders often wish to retain the right to re-use these personal data and so encourage data maximisation. Public health and research stakeholders can also encourage greater volumes of data collection. Data practices such as big data, machine learning and deep learning also encourage data intensification. Data minimisation is a practical principle encouraging targeted data sets, reduced data storage costs, less information to secure, improved data analytics and reduced risks associated with cyberattacks and data breaches.

Limits to Data Retention

Personal data should not be kept, used and stored for longer than necessary. This data hygiene principle is also called the storage limitation data lifecycle principle.  When planned properly, the application of this principle can help with all other GDPR principles, acting as a practical lever. Covid-19 personal data systems should develop personal data retention schedules, which lay out the data lifecycle and include data review and data deletion dates. Data retention includes pseudonymisation, data masking, hashing, encryption and putting personal data beyond use. These concepts are important in helping to define data risk.

Information Security, Integrity and Confidentiality

Personal data should be collected and used in ways that ensure information security. These protections should reduce the risk of unauthorised access, unlawful use, accidental loss, destruction and damage to personal data. Covid-19 data systems and vaccine passports should be protected by risk-based and high quality technical and organisational measures. EU GDPR regulators are also keen to ensure that organisations adopt a proactive approach to information security and actively respond to emerging threats from cloud data, phishing attacks, ransomware, cryptocurrencies scams and social engineering attacks.

Accountability: Demonstrating Governance and Compliance

The key principle for data protection excellence is accountability. This is the ability for covid-19 data systems and vaccine passports to demonstrate compliance with the GDPR to individuals, data controllers, data processors and all stakeholders. Accountability means following all the other principles, carrying out data flow mapping and maintaining Records of Processing Activities (ROPAs). It also means reporting data protection risks to the board or senior leadership, appointing Data Protection Officers and completing Data Protection Impact Assessments (DPIAs). For individuals identified in covid-19 data systems, accountability includes clear GDPR notices, allowing data subject rights to be exercised and having a high-quality consent management system (where consent is being requested). Accountability is also a practical tool to build trust, engagement, effectiveness, good reputation and enhance the quality of the covid-19 data systems. Accountability also creates future-proofing and resilient systems and processes.

For further assistance with Covid-19 data, vaccine status verification systems and GDPR compliance, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com

PS062021

Introduction

The General Data Protection Regulation (GDPR) applies directly to companies and organisations located in the European Union (EU) and around the world. The law has a deliberately wide scope, based on how personal data about individuals in the EU are collected, used, monitored and stored. Companies and organisations that do not have an established presence in the EU must appoint a Data Protection Representative (Representative) based in the EU in line with Article 27 of the GDPR. This rule is not new, it has been an EU requirement, in a more limited form, since 1995. The Representative allows individuals in the EU to directly enforce their data protection rights and gives EU GDPR regulators a reliable point of contact within their countries.

The Representative is a strategic role, helping foreign companies and organisations to actively monitor GDPR regulators’ priorities, enforcement and key guidance. It is also practical, allowing individuals, users and consumers in the EU to have an access point in the EU. The Representative is more likely to communicate with them in local languages and appreciate local risks, norms and expectations. The Representative is also legally required to understand data flows that affect individuals based in the EU by being involved with GDPR Records of Processing Activities (ROPAs).

1. What types of companies or organisations need European Data Protection Representatives?

Companies and organisations that have no established presence in the EU but process the personal data of individuals in the EU and carry out activities that are covered by the GDPR. This applies whether the personal data processing takes places inside or outside of the EU. The company or organisation can be a Controller or Processor as defined by the GDPR. However, non-EU based public bodies, government organisations, diplomatic missions and consular posts do not have to appoint European Data Protection Representatives.

2. When does a company or organisation need to appoint a European Data Protection Representative?

Companies and organisations should review their data flows, personal data inventories and GDPR ROPAs on a continuous basis to check if their activities are covered by the GDPR. Where companies and organisations offer goods or services to individuals in the EU, even free services, or monitor the behaviour of individuals based in the EU, the need for a European Data Protection Representatives must be considered. That a non-EU website, email address and other contact details are accessible within the the EU, does not, by itself, mean a Representative is required. Companies and organisations should consider whether they use EU languages in their trading or work, use EU currencies, deploy marketing targeted at EU users and consumers or provide users with direct facilities to order and receive goods and services. The use of geographic targeting technologies, cookies, profiling EU users and other monitoring and surveillance could indicate the need for a Representative. Foreign companies and organisations that employ staff, contractors, distributors and agents in the EU are also likely to need to consider appointing a European Data Protection Representative.

The requirement does not apply if the processing of personal data about those in the EU is occasional, small scale or there is no large-scale processing of special categories of personal data or criminal records data that negatively impact the rights and freedoms of individuals.

3. What are the legal duties and key requirements of European Data Protection Representatives?

EU GDPR Representatives:

(a) Must maintain ROPAs of the Controller’s or Processor’s personal data flows.

(b) Cooperate with EU GDPR regulators (Supervisory Authorities).

(c) Be situated in an EU country where individuals who are offered goods, offered services or have their behaviour monitored, are based.

(d) Be appointed by the foreign-based Controller or Processor and can be contacted by EU GDPR regulators and individuals in the EU, in addition to, or instead of, the Controller or Processor.

(e) Act as the Controller’s or Processor’s Representative, but the Controller and Processor remain responsible, liable and directly subject to legal and regulatory action in the EU.

(f) Carry out the Data Protection Representative Service as specifically agreed with the Controller or Processor.

(g) Are subject to enforcement proceedings for non-compliance by the Controller or Processor.

(h) Are designated and appointed in writing by the Controller or Processor.

4. What are the differences between GDPR-appointed Data Protection Officers and GDPR European Data Protection Representatives? Can the roles be carried out by the same person or organisation?

The Data Protection Officer is largely an internal appointment who must act independently and report to the highest level of management in a company or organisation. The Data Protection Officer should not perform an operational role in charge of data processing in the organisation, at the same time. The Data Protection Representative is largely outward facing, positioned to liaise with individuals whose personal data are being processed and with EU GDPR regulators. The Representative is not restricted from taking part in the operational aspects of the Controller’s or Processor’s data processing activities.

The Representative must act within the terms of the appointment and the mandate of the Controller or Processor, as a type of agent. The Representative is not legally required to be independent but must represent and stand in the place of the Controller or Processor within the EU. If a single entity or person attempted to act as both a GDPR Data Protection Officer and a European Data Protection Representative at the same time, there is likely to be a conflict of interest and practical limitations. However, both roles share the need for ROPA expertise and the ability to work effectively with individuals and EU GDPR regulators.

5. The United Kingdom (UK) has left the EU, should UK Data Protection Representatives be appointed to comply with UK data protection law? Do companies and organisations based in countries that have a data protection adequacy agreement with the EU need to appoint European Data Protection Representatives?

The UK’s exit from the EU means that it is no longer an EU Member State. The UK Information Commissioner’s Office (ICO), the data protection and GDPR regulator, is no longer a GDPR Supervisory Authority or member of the European Data Protection Board (EDPB). The UK has carried forward the GDPR, and so where a company or organisation needs to appoint a European Data Protection representative, if the same or similar data processing activities take place in the UK, a UK Data Protection Representative should be appointed. This requirement will continue even when the UK gains a data protection adequacy agreement from the EU. At present, all companies and organisations in the European Economic Area (EEA) and those based in countries that have an EU data protection adequacy agreement still need to appoint Data Protection Representatives in the EU, if they process personal data, have no established presence within the EU but offer goods, offer services (even for free), or monitor individuals’ behaviour in the EU.  This is true, even where this data processing activity never takes place on equipment that operates within the EU (or the UK).

To access our European Data Protection (GDPR) Representative services, UK Data Protection Representative services, Data Protection Officer services or Brexit data services, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS012021

Briefing

On 24 December 2020, the European Union (EU) and the United Kingdom (UK) signed the EU-UK Trade and Cooperation Agreement (the “Trade Deal”) to provide an ordered and more certain outcome for the end of the transition period on 31 December 2020. A process of ratifications will take place in January 2021.  A no-deal Brexit has been avoided, but this Trade Deal has been described as “thin.” The Trade Deal includes a zero-tariff regime for many goods. The UK economy is approximately 20% in goods, leaving the majority 80% of services sectors with operational uncertainties. The EU’s combined economy is 25% goods and 75% services. From a data protection, General Data Protection Regulation (GDPR) and information security perspective, the Trade Deal provides some clarifications. However, there are still uncertainties to be worked out in the coming months and years.

UK Data Protection Adequacy

The UK will not receive a data protection adequacy decision from the EU before 31 December 2020. As a result, the Trade Deal has extended the data protection status quo that operated during the Brexit transition period, for a further 6 months to June 2021. UK data protection adequacy is not guaranteed in June 2021 and adequacy could be withheld by the EU, but the language of the Trade Deal appears optimistic. An adequacy decision will allow personal data to flow freely from the UK to the EU/European Economic Area (EEA) and from the EU/EEA to the UK, without the need to use the international data transfer mechanisms in the GDPR designed for non-EU third countries. The Trade Deal states that the UK will not be considered a third country for EU/EEA to UK data transfers, for the purposes of EU GDPR, during the agreed extension period. Companies and organisations have a grace period, but still need to plan for the future based on an adequacy decision and also non-adequate third country status.

The need for new EU and UK Data Protection Representatives

Whatever the outcome of UK data protection adequacy decision and its timing, the UK remains outside the EU. This has been a legal reality since 31 January 2020. Companies and organisations (though, not public bodies) without a presence in the EU, offering goods, services or monitoring EU citizens in the EU, will need to appoint an EU Data Protection Representative, in one of the EU’s member states, as soon as possible. This is a legal requirement under Article 27 of GDPR. The EU-UK Withdrawal Agreement and related changes to UK data protection laws require UK Data Protection Representatives for organisations based outside the UK, without a presence in the UK, who offer goods, services or monitor UK citizens in the UK. Companies and organisations, in the UK, EU, EEA and around the world should conduct gap analysis and determine whether these services are legally required.

The UK Information Commissioner’s Office (ICO) reduced role

The ICO is one of the largest and most active data protection and GDPR regulators. Its English language output has a substantial impact on large parts of the world and on international organisations. Brexit means that it is no longer an EU Supervisory Authority under GDPR and so companies and organisations should repatriate key EU GDPR roles to other Supervisory Authorities based within the EU. Ireland’s Data Protection Commission is a near-neighbour substitute. These EU GDPR roles include registering Data Protection Officers, registering Binding Corporate Rules (BCRs), making referrals to the Court of Justice of the European Union (CJEU) and participating in the work of the European Data Protection Board (EDPB) and European Commission. The ICO’s future output will bind UK companies and organisations and foreign companies doing business in the UK. The extent to which most EU, EEA and international companies, who have an EU lead GDPR Supervisory Authority, will be bound by its guidance, codes of practice, decisions and enforcement is uncertain. It is also unclear how closely the ICO will consider or follow the opinions, recommendations and decisions of the EDPB, CJEU and the European Commission. The ICO will have very little direct legal obligation to do so, going forward. The ICO’s role in the maturing and development of the EU’s GDPR will reduce over time.

The Trade Deal: Clear for Goods, More uncertain for Services

The service sectors in the UK and EU generate, use and share a lot of personal data and special categories of personal data. The Trade Deal is focused primarily on goods, security cooperation, trade dispute resolution mechanisms and other discreet areas of trade and cooperation. Data flows in many services sectors such as financial services, information technology, business services, professional services, ecommerce/online retail, leisure, tourism, travel, sports, the arts, entertainment and personal services are affected by Brexit. Established data flows will be changed by new trading restrictions, new processes and limits on data sharing. New data flows will be created that companies and organisations must map, risk assess, manage and add information security protections. Businesses and organisations in the UK may increasingly turn to non-EU partners, suppliers and customers as UK government policy promotes global trade and new international trading corridors. This will create both challenges and opportunities and require better management of international data transfers, supply chain risks, information security resilience, human rights compliance risks and geopolitical risks.

Complexities in Information Security and Cybersecurity

As the UK is no longer a member of key EU institutions, the immediate future will be uncertain as security, information security and cybersecurity relations are re-established or reconstituted. The UK will lose direct member access to the European Union Agency for Cybersecurity (ENISA), Europol and Eurojust. Cooperation on cross-European cybersecurity threats, risks and responses will be negatively affected in the short to medium term. Companies and organisations should monitor these relationships and bolster their individual cyber defence capabilities. Businesses operating in or enabling critical national infrastructure or regulated sectors such as financial services, healthcare, pharmaceuticals and high value engineering, will need to adopt more substantial measures. Will there be future conflicts over whether UK or EU/EEA cybersecurity standards will apply between UK and EU/EEA partners?  In the longer term, will international businesses choose to mandate EU/EEA information security standards over UK standards, or adhere to both at additional costs? Companies and organisations will need to strategize about appropriate solutions and sector norms.

Other Immediate and Future Impacts: Work, Travel, Employee Data, Procurement, Immigration, Professional Qualifications and related areas

Personal data requirements, collection, storage and sharing are affected in many common areas, impacting many companies, organisations, supply chains and staff mobility. Human Resources departments, already facing data protection and cybersecurity challenges from the coronavirus pandemic, will faces new, fast changing and unresolved data flows of employee data, including proof and authorisation of professional qualifications. Work permits, visa applications and new immigration rules will diversity data sets and introduce high risk data processing. Other departments and functions like sales, marketing, finance, compliance, legal, audit, information security and procurement will face immediate and longer term data and cybersecurity challenges. Companies and organisations will be in a constant process to realign, overcome uncertainties and fill gaps. The future will require embracing new ways of working together, doing business and sharing data and information between the UK, EU, EEA and globally.

For assistance with Brexit, GDPR and EU data flows, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS122020

Briefing

Over time, the personal data impacts of the United Kingdom (UK) leaving the European Union (EU) will be revealed. The scope of any free trade deal that addresses data protection will set the scene for immediate and long-term personal data flows. In the short to medium term, any adequacy decision will minimise costs and disruption to companies and organisations. The impact of the Court of Justice of the European Union’s Schrems II decision on Privacy Shield, as it applies to the UK, will also become clearer as decisions are made. The future will include new European Commission data protection Standard Contractual Clauses (SCCs) for personal data transfers to non-EU countries. It is likely that the UK Information Commissioner’s Office (ICO) could seek to adopt its own international personal data transfer mechanisms and arrangements over time. It is important for companies and organisations to be strategic, measured and deliberate in choosing the way forward.

Strengthen long-term Data Protection Strategy

Companies and organisations should be very clear about their ongoing data protection strategy. For UK companies with limited EU / European Economic Area (EEA) and foreign operations, they must decide their level of proximity to the EU’s General Data Protection Regulation (GDPR) or adopt a more flexible ad hoc approach to anticipate changes to UK data protection laws. For EU and EEA companies and organisations that do business or offer services to UK customers, they must decide and confirm which data protection standard will be their baseline. They must decide the level of deviation that they will permit while accommodating emerging UK data protection norms while staying true to EU GDPR. International companies and organisations must decide on the level of exceptionalism that their data governance programmes will allow for the UK. They should decide whether the UK will be treated as a default EU member state for GDPR purposes and be held to evolving EU data protection standards, despite changes to their domestic or the UK data protection regimes.

Engage with key suppliers and high risk high value contracts

It is important that companies and organisations create and maintain clear channels of communication with their extended supply chains to coordinate their future approaches to data protection. Contracts should be reviewed to ensure that terms which directly or indirectly rely on the UK’s membership of the EU should be reviewed and updated. Key definitions for “applicable data protection law” and many other EU / EEA-centric information should be reviewed to reflect the new realities. Standard Contractual Clauses (SCCs) should be considered for large scale and high risk EU / EEA to UK data transfers.

Monitor as the UK becomes an international data adequacy deal maker

The European Union fiercely protects its allocation of data protection adequacy decisions to countries outside the European Union. The UK is fast becoming a broker in the expansion and allocation of data protection adequacy, beyond the EU’s direct remit. Most of the countries included on the EU’s data protection adequacy list have declared that the UK has data protection adequacy. This includes the larger economies like Switzerland, Argentina, Israel and Canada. Japan and the UK have agreed mutual data protection adequacy, which is linked to a new free trade deal. In time, it is likely that the UK and the USA will come to an arrangement on broad data protection adequacy or create a mutual Privacy Shield-type arrangement to accommodate their future economic relationship.  Companies and organisations should watch these developments, constantly assess personal data risks, analyse the longer term effects of the Schrems II decision and evaluate the proximity of new adequacy arrangements to EU GDPR.

Get value from EU Data Protection Representatives

Companies and organisations should use the end of the UK ICO’s role as an EU Supervisory Authority under GDPR as an opportunity for strategic thinking about their EU / EEA GDPR exposure. Data Protection Representatives should be appointed within the EU not just to comply with Article 27 of the GDPR, but to stay connected to EU / EEA customers and users, monitor the work and priorities of other EU based Supervisory Authorities and monitor key policy changes taking place in Brussels. EU Representatives should represent non-EU based (and UK) companies and organisations from within the EU, but also feedback to UK and international companies useful insights, trends, strategic positioning and information about enforcement priorities.

Interact with and educate Users and Consumers

Companies and organisations should take the opportunity to update the places where they meet their users, transact with customers and provide information to them. This includes data protection policies and procedures, data protection notices, information security protocols, websites, publications, social media and staff training initiatives. GDPR Records of Processing Activities (ROPAs) should be updated to maintain transparency and accountability. Supply chains, consumers and users should not be surprised on 1 January 2021 with the sudden impacts of the end of the Brexit transition period, but should steadily receive information and guidance so that practical and strategic choices can be made by all parties.

PS112020

Briefing

On 16 July 2020, the European Union’s highest court, the Court of Justice of the European Union (CJEU) delivered the much anticipated decision in the Max Schrems Case (Schrems 2). The court was asked by Ireland’s High Court to decide on key mechanisms for international transfers of personal data from the EU to the United States. The underlying cases arose out of Austrian privacy activist Max Schrems’ complaint against Facebook and Ireland’s Data Protection Commission over interpretation of key data protection provisions. Max Schrems objected to US surveillance of foreign nationals which conflicted with the General Data Protection Regulation (GDPR). The court decided that US surveillance laws and practices stand in opposition to the GDPR’s fundamental human rights protection of EU citizens. As a result, personal data transfers are non-compliant to EU law and need special attention, assessment, reviews and additional safeguards to make these compliant. The case has been called constitutional and cannot be appealed.

Privacy Shield

The Court of Justice of the European Union found that the EU/US Privacy Shield data protection adequacy decision agreed in 2016 is invalid. Personal data transfers based on this mechanism must cease.  EU citizens have no real judicial remedy or equivalent protections in the US under Privacy Shield. The Swiss/US Privacy Shield remains in force but the Swiss Data Protection Authority is reviewing its position. Privacy Shield continues to operate internally in the USA based on federal enforcement mechanisms, US laws and the role of domestic regulators.

Standard Contractual Clauses (SCCs)

The European Commission’s Data Protection Standard Contractual Clauses remain lawful and enforceable. However, the court has insisted that Data Exporters (in the EU) and Data Importers (in foreign countries) must carry out more detailed checks to ensure that foreign laws and data governance rules are compatible with GDPR. Data Importers must inform Data Exporters if they are unable to comply with EU data protection law. Data Exporters must refuse to transfer personal data where specific personal data transfers are incompatible. EU Data Protection Authorities are also encouraged to intervene and review Standard Contractual Clauses and be prepared to withhold or withdraw authorisations for international personal data transfers. On 4 June 2021, the European Commission published its final updated Standard Contractual Clauses that comply with GDPR and the Schrems 2 case. On 21 March 2022, the UK published its new international data transfer regime.

Responses and Actions

  1. Companies and organisations should assess their exposure to Privacy Shield, work towards stopping these personal data transfers and investigate substitute arrangements. There is no grace period for compliance.
  2. Wait for and act on concrete guidance from each relevant EU Member State’s Data Protection Authority, the European Data Protection Board (EDPB) and the European Commission.
  3. Wait for the European Commission’s new GDPR-approved Standard Contractual Clauses (June 2021) and implement these by December 2022.
  4. Begin to review high value and high risk contracts that contain Standard Contractual Clauses (SCCs) that allow transfers to the USA.
  5. Review Binding Corporate Rules (BCRs) to see if personal data transfer protections from the EU to the USA need to be strengthened or varied.

Resources

EU / US and Swiss / US Privacy Shield Home Page

Schrems II Case Press Release

Schrems II Case Full Judgment

Schrems II European Data Protection Board (EDPB) Frequently Asked Questions

Schrems II US Federal Trade Commission (FTC) Statement

Schrems II US Secretary of Commerce Statement

Schrems II Joint Statement from European Commission and US Department of Commerce

Schrems II Ireland Data Protection Commission (DPC) First Statement

Schrems II UK Data Protection Commissioner’s Office (ICO) First Statement and Updated Statement

Schrems II European Data Protection Board (EDPB) Taskforce on Post-Schrems II Complaints

Schrems II US Department of Commerce, US Justice Department & US Office of the Director of National Intelligence White Paper on US Privacy Safeguards for SCCs and other Legal Bases

Schrems II European Data Protection Supervisor (EDPS) Strategy for EU Institutions to comply with Schrems 2 Ruling

Schrems II European Data Protection Board (EDPB) Supplementary Measures for data transfer tools to ensure GDPR compliance – Consultation

Schrems II European Commission Standard Contractual Clauses (SCCs) 2020 – Consultation

Schrems II European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) Joint Opinion 2/2021 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries

European Commission Final Standard Contractual Clauses (SCCs) for Data Controllers and Data Processors and also International Data Transfers – June 2021

UK Information Commissioner’s Office (ICO) Consultation on UK International Data Transfers and UK Standard Contractual Clauses – August 2021

UK Information Commissioner’s Office (ICO) Response to DCMS Consultation “Data: A New Direction” – October 2021

UK GDPR Final International Personal Data Transfers Scheme and Documents – March 2022

European Commission announcement of an EU/US Trans-Atlantic Data Privacy Framework Agreement in Principle – March 2022

White House Briefing Room announcement of an EU/US Trans-Atlantic Data Privacy Framework Agreement in Principle and FactSheet – March 2022

European Commission Questions and Answers (Q&As) for the two sets of EU 2021 Data Protection Standard Contractual Clauses – May 2022

For Further Assistance, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com

Client Success Stories: What Our Partners Say

Our clients’ testimonials are the performance indicators PrivacySolved values most. These keep us focused on excellent delivery, while never losing sight of the evolutionary nature of our clients’ needs, our expertise and the need for continuous improvement.

Partnerships &
Memberships 2024

Take the next step

PrivacySolved can empower your real-time response to Data Breaches or Cyber Attacks globally, around the clock and across time zones. At any time, you also can activate our global data privacy expertise, DPOs, vCISOs, cybersecurity strategy and responsible AI services.

Click below to start the most important conversation you’ll have this year.

© Copyright 2024 PrivacySolved. All rights reserved. Website by Jerboa.