DPC publishes Guidance and Report on the Use of Cookies and Other Tracking Technologies

,

On the 6th April, the DPC issued a Guidance Note (GN) on Cookies and other tracking technologies. This Guidance note follows an examination by the DPC of the use of cookies and other similar technologies on a selection of websites across a range of sectors. The DPC will allow a period of 6 months from the publication of the guidance for controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.

ePrivacy Regulations and GDPR

The GN outlines the requirements under the ePrivacy Regulations 2011 and GDPR for the use of cookies and other tracking devices for the processing of personal data, including the law on cookies and it’s purpose, requirements for consent, provision of “clear and comprehensive information” about the use of cookies and the requirements for cookie banners.

Third Party Processors

Consideration is also given to the need to assess relationships with third parties whose assets are deployed on a website, for instance the use of “like buttons”, plugins, widgets, pixel trackers or social media sharing tools. There is a requirement to be aware of the information that is collected and disclosed to these third parties, in particular engaging a third party to process payments where a controller-processor contract will need to be in place with that organisation to meet the requirements of Art 28(3) of the GDPR.

Record of Processing Activities

It is important to note that it is not necessary that a cookie contain personal data in order that the user’s consent be required to set it. Under Art 30 of the GDPR, there is a requirement to maintain a comprehensive record of each specific type of processing as part of your record of processing activities, which includes processing relating to cookies and other tracking technologies.

Special Categories of Personal Data

If your organisation is processing special categories of personal data through information derived from cookies, this is subject to stricter rules under Art 9 of the GDPR. The only legal basis your organisation is likely to have for the processing of any special category data derived from the use of cookies or other tracking technologies is the explicit consent of those individuals whose data you are processing.

Storage Limitation Principle

The DPC also noted that the lifespan of a cookie should be proportionate to its function. This is in line with the storage limitation principle under the GDPR. Organisations should check their current practices and make the necessary changes to comply with this principle.

Location Tracking

The GN also outlines the requirements regarding the use of cookies and other technologies to track the location of a user i.e. the need for consent. The Court of Justice of the EU recognised the sensitivity of location data because it can be used to derive very precise information about individuals and their behaviour, including daily movements and activities, places of residence, social relationships and the social environments they frequent.

Now that the DPC has issued guidance, organisations should ensure that their approach is compliant.

Our Data Protection Support Services team can assist you in implementing a successful data protection programme, achieving and maintaining compliance with EU data protection requirements while delivering security, productivity, risk management and cost-efficiency benefits. View our GDPR Service Offering for more information.

To read the guidance note, click below:

For a summary of the DPC findings and recommendations, see report below:

 

 

/by

Data Breach Trends Identified in First Year of GDPR

,

The Data Protection Commission have published an information note on data breach trends identified by their Breach Assessment Unit in the first year of GDPR.

Some of the trends and issues identified by the Breach Assessment Unit include:

  • Late notifications;
  • Difficulty in assessing risk ratings;
  • Failure to communicate the breach to data subjects;
  • Repeat breach notifications; and
  • Inadequate reporting.

You can view the full information note here.

At Crowleys DFK, we are dedicated to helping you achieve GDPR compliance. Our Data Protection Support Services’ team offer the following services:

  • Preparing a Gap Analysis between current practices and those required under the current legislation and regulation.
  • Ensuring Data Protection, Records Management and Retention Policies and Procedures are in line with current legislation and regulations.
  • Conducting Data Mapping exercise.
  • Developing Privacy Notices/Disclosures for your organisation.
  • Determining if a Data Protection Impact Assessment is required by your firm and provide assistance in implementing.
  • Providing support to your appointed Data Protection Officer/Privacy Officer and ensuring their roles and responsibilities fully include the requirements under the GDPR.
  • Providing GDPR workshops/training to Board members and staff.

For assistance or advice on Data Protection, please contact us.

/by

Central Bank issues Guidelines on Anti-Money Laundering (AML) and Counter Terrorism Financing

,

On 6 September 2019, the Central Bank issued guidelines to help firms meet their anti-money laundering (AML) and countering the financing of terrorism (CFT) obligations.

Money laundering and terrorist financing is a large global issue. An estimate of between 2% (€715 billion) and 5% (€1.87 trillion) of global GDP is laundered each year.

These guidelines aim to help firms to understand their obligations under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010-2018.

Speaking at the launch of these guidelines, Director General, Financial Conduct, Derville Rowland said,

“Firms must adopt a risk-based approach to fulfilling their obligations and ensure that their controls, policies and procedures are fit for purpose, up-to-date, tested and kept under constant review and scrutiny.”

“Effective regulation in this area strengthens the integrity of the financial sector and contributes to the safety and security of citizens by preventing drug dealers, and those engaged in human trafficking, terrorist attacks and organised crime, from using the financial system to support these activities,” she said.

“Financial institutions must know their customers, understand their customer profiles, monitor the way accounts are used and make reports of suspicions to An Garda Síochána, and the Revenue Commissioners where appropriate,’’ she added.

You can find a copy of the guidelines here and view the Central Bank’s press release here.

If you are a designated person for AML purposes and require assistance with your requirements under the legislation, please contact Tony Cooney, Partner and Head of Risk Consulting.

We provide the following services:

  • AML business risk assessments
  • Update AML policies and procedures for new legislative requirements
  • Provide AML training to Directors and staff
  • Independent AML function audits
/by

Credit Union Director Duties

, , ,

Credit unions have come under increasing scrutiny in recent years with more attention than ever focused on the duties of directors and the board. At a time of rapid change both within the credit union sector, and in the wider economy, keeping up to date is critical, explains Fiona O’Sullivan, Director, Audit & Assurance.

A Central Bank report published earlier this year shows that governance and risk management continue to challenge credit unions. The board of each credit union is responsible for its control, direction and management and must ensure that directors have the skills and expertise to adequately oversee operations — this includes being aware of the rules and regulations governing who can serve on the board, in what capacity, and for how long. Individual directors must be able to devote sufficient time to their roles and responsibilities and must keep up to date with their legal and regulatory obligations.

Improving standards

While governance standards are generally improving, the Central Bank report shows that 60 percent of risks identified in credit unions relate to governance and operational issues. Typically, these include failure to challenge internal audit, failure to adequately monitor the quality of risk management and compliance, and failure to adequately review the performance of individual directors, management and key staff. These problems occur in credit unions of all sizes, not just in smaller entities.

The report provides a useful summary of supervisory expectations:

  • An effective and comprehensive governance framework should be evident in the credit union, including clear accountabilities and an appropriate performance management framework for relevant officers and staff.
  • Effective engagement with internal audit, risk management and compliance functions should be evident. Boards should have an awareness, challenge and undertake action in relation to findings and issues identified by these functions.
  • Clear separation between the roles of the board (non-executive) and management (executive). This separation should be underpinned by clear roles, responsibilities, reporting lines and accountabilities.
  • A strategic, forward-looking focus at board level, with quality discussion and challenge of strategic plans and associated targets evident at board meetings. The ongoing monitoring and tracking of metrics to assess the implementation and effectiveness of the strategic plan is key to effective governance and driving the future direction of the credit union.
  • Appropriate and timely reporting to the board in order to support decision-making on key strategic issues. Such reports should be well understood at board level and there should be evidence of discussion, challenge and follow-up from the board in relation to such reports.

Risk governance

The report highlights the importance of internal audit, risk management and compliance, stating:

“Those credit unions demonstrating stronger governance have typically moved beyond a mere ‘tick-box’ compliance attitude to exhibiting a more integrated risk governance culture, with a strong awareness and understanding of the impact of unmanaged risk. Such credit unions are more likely to leverage appropriately the important supports to the board provided for in the 2012 enhanced governance framework of internal audit, risk management and compliance in order to provide them with an improved understanding of the risk profile of their credit unions so that they can drive the necessary changes and improvements.”

Directors should keep in mind that, as in other sectors, the risks that credit unions face continue to evolve as circumstances change.  Risk registers and policies must be regularly reviewed and updated to take account of regulatory, sectoral, economic and technology-related developments. Recent regulatory developments include the changes to the investment and liquidity framework being implemented in 2018. Emerging economic risks include Brexit while cyber risks include vulnerabilities in areas such as fintech, cloud computing, mobile technologies, the Internet of Things and ‘big data’. Directors are responsible for ensuring that these, and other existing and emerging risks are identified and documented and that appropriate plans are devised and implemented to mitigate them.

How we can help

Understandably, with the regulatory and compliance burden increasing and new and complex challenges emerging, credit unions and their directors need help to keep pace with developments. Crowleys DFK has more than 25 years’ experience advising clients in this sector and offers a broad range of specialist services, including governance support, to assist boards and directors to meet their legal and regulatory obligations.

For more information and to find out how we can help, please get in touch.

Talk to us

 

Fiona O’Sullivan
Director, Audit & Assurance Services
fiona.osullivan@crowleysdfk.ie

/by