14 Feb LawBytes #32 – EDPB guide on no-deal Brexit data transfers and ENISA smartphone app security tool
LawBytes #32 deals this week with the information note on no-deal Brexit data flows from the EU to UK issued by the EDPB and with the ENISA tool for smartphone app security.
Privacy – the EDPB provides guidance on data transfers to the UK in case of no-deal Brexit
At the end of its 7th plenary session of February, the European Data Protection Board adopted an information note addressed to commercial entities and public authorities providing guidance on data transfers under the GDPR in the event of a no-deal Brexit.
In the absence of an agreement between the EU and the UK (no-deal Brexit), the UK will become a third country from 00.00 am CET on 30 March 2019.
As previously highlighted by the EU Commission “the adoption of an
adequacy decision is not part of the Commission’s contingency planning “.
Therefore, as a consequence, the transfer of personal data from the EEA to the UK will have to be based on the other available instruments according to the GDPR such as Standard or ad hoc Data Protection Clauses, Binding Corporate Rules or Codes of Conduct and Certification Mechanisms.
This is a big deal, since it basically means that if within 30 March 2019 (Brexit doomsday) no adequacy decision is adopted (as it seems to be the case), companies shall better be ready to rely on a different tool to frame data transfers from the EU to UK.
Therefore, companies transferring personal data to the UK should follow this 5 step process, as highlighted by the EDPB:
- Identify what processing activities will imply a personal data transfer to the UK
- Determine the appropriate data transfer instrument for their situation
- Implement the chosen data transfer instrument to be ready for 30 March 2019
- Indicate in their internal documentation that transfers will be made to the UK
- Update the privacy notice accordingly to inform individuals.
If you are interested in this topic don’t miss our previous posts: “Top 6 effects of the Brexit withdrawal agreement on personal data” and “How Brexit impacts your European privacy strategy“.
IT Security – new online tool for smartphone app development from ENISA
Following its cybersecurity threats report and IoT security guidelines, the European Union Agency for Network and Information Security (ENISA) has just launched SMAShiNG – SMArtphone Secure developmeNt Guidelines – an online tool that maps security measures for smartphone guidelines.
The tool supports developers to build secure mobile applications and allows for selecting security measures associated with a specific domain and export them as a checklist to follow in the design phase, based on the requirements of the developer.
The security measures featured by SMAShiNG are defined in the ENISA Smartphone Secure Development Guidelines report, and provide guidance upon crucial app development topics such as:
- User authentication;
- Sensitive data protection;
- Secure software distribution;
- Device and application integrity;
- Protection from client side injections;
- Correct usage of biometric sensors.
Following the privacy by design principle introduced by the GDPR, companies willing to achieve a competitive edge in the market should consider embedding adequate security measures in smartphone apps since the development phase.
If you are interested about this topic be sure not to miss our previous post: “EDPS Smart glasses privacy report and ENISA cybersecurity review“.
I am Tommaso Ricci, you can drop me a line @ [email protected]. Read the previous issues of LawBytes here and register to our newsletter. Also don’t forget to try Prisca our GDPR chatbot described HERE