Data Protection - FingerprintBy  Gail Crawford and Danielle van der Merwe

Following the commencement of the Brexit negotiations earlier this week, the Queen announced in her speech on Wednesday a new law that will “ensure the United Kingdom retains its world-class regime protecting personal data”.

This bill will replace the current Data Protection Act 1998 in the UK. One of the bill’s main reported benefits is the implementation of the General Data Protection Regulation (GDPR) (and the new directive applying to law enforcement data processing), meeting the UK’s obligations while it remains an EU Member State. Crucially, the intention is for the bill to help put the UK in the best position to maintain its ability to share data with other EU Member States,  and internationally after the UK leaves Europe.

By Christian McDermott, Calum Docherty, Stuart Davis and Anne Mainwaring

The European Banking Authority (EBA) has published its consultation document on security measures for operational and security risks under the revised Payment Services Directive (PSD2).

Technology - dreamstime_xxl_19374657The WannaCry ransomware attack that swept across the globe last week revealed the destructive and indiscriminate nature of cyber threats. It attacked hospitals, telecoms networks and universities, seizing hold of important data and leaving users and systems administrators temporarily powerless. These are precisely the risks that the payments industry wants to avoid as it braces for the revised PSD2, which will come into force across the EU from 13 January 2018. As such, the EBA has published a consultation paper on security measures for operational and security risks under PSD2, setting out proposed requirements for payment services providers (PSPs) to mitigate the concomitant payment processing risks.

The consultation paper is one of the EBA’s three security mandates in PSD2, complementing the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (submitted to the European Commission for adoption 23 February 2017), and the Guidelines on Major Incidents Reporting (which recently finished its consultation).

By Gail Crawford

After over four years of debate, the General Data Protection Regulation (GDPR) recently came into force, taking effect after a two year transition period, i.e. from 25 May 2018. The GDPR introduces a rigorous and far-reaching privacy framework, which will impact many M&A transactions.

The GDPR sets out defined obligations and substantial fines for non-compliance. The new regime will extend the territorial reach of EU data protection law, catching any business that operates in the EU, or offers goods and services to – or monitors the behaviour of – EU data subjects. In the M&A context, a non- EU entity that targets or monitors EU individuals will be subject to the GDPR.

MnAViewsDataProtection imageAug2016The GDPR imposes mandatory data breach notifications and much stronger sanctions for non- compliance. Fines of up to 4% of annual worldwide turnover or €20 million, whichever is higher, can be imposed. This has rightly concerned business – a survey by Ovum in 2015 showed that 94% of IT decision makers are concerned about the GDPR and 52% of respondents thought that the GDPR would result in fines for their company.