Sunday, May 27, 2018

GDPR Complaint? All You Need Is A Good Privacy Policy And Opt-in Emails, Right? NOT



In the days, weeks, leading up to the effective date of GDPR, we all received a plethora of revised Privacy Policies, as well as a handful of reconfirmation of email opt-ins. Surprisingly,  many people in significant size U.S. organizations seem to think that these actions alone will make them GDPR compliant.

Has anyone else experienced this reaction?

Friday, May 25, 2018

There are many people with SKELETONS in their DATA Closets!



Accordingly to the definition of processing in article 4 of GDPR ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

To say it shortly - if you have the personal data - you process it accordingly to the definition of processing.

What are the consequences of this definition?

It means that you have to comply with different aspects of GDPR like security, notice provided to the data subject and having a legal basis for the processing. 

If you plan to use external supplier to process the personal data you have to sign a Data Processing Agreement accordingly to the article 28 of GDPR.


Contributed by my dear friend Piotr Siemieniak based upon typical 'real life' responses in training sessions. See https://upsecure.pl/

Monday, April 2, 2018

GDPR Is Still ALIEN To Many, With Fines That Are Out Of This World



On May 25, 2018, the General Data Protection Regulation (GDPR) will become a global law.

The regulation applies to the collection, processing and movement of personal data for individuals residing in 32 European States. (28 EU States + 4 other European States). If your company has prospects or customers in these States, you most likely have exposure and are mandated to comply, or risk severe penalties and fines.

GDPR Citation (2) states the following;

(2) The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons. 

Why has this become an issue?

GDPR Citation (6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data. 



GDPR Citation (7) Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced. .

Tuesday, November 28, 2017

GDPR Addresses Joint Controllers With Joint Responsibility



The GDPR specifically addresses when more than one controller is involved with the processing of an individual's personal data. In addition to the overlap of data processing responsibilities, liabilities are also shared, including the data subject's rights to compensation. GDPR Article 26 (Joint Controllers) and GDPR Article 82 (Right to compensation and liability) are included below for reference.


Article 26 - Joint Controllers

1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects. 

2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject. 

3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers. 

(Inspired by Surkan Krut, privacy lawyer, CIPP/E, CIPM, freelance consultant specializing in Joint Control.)

Tuesday, November 21, 2017

GDPR Balancing Act Of Principles For Collecting Personal Data


As illustrated above, a Controller has the responsibility of balancing six basic principles involving the collection of personal data, as well as being able to demonstrate compliance. 

The basic priciples of GDPR state that the collection of personal data shall be done lawfully, fairly and in a transparent, for specified, explicit and legitimate purposes, adequate, relevant and limited, accurate, 'storage limitation', In a manner that ensures appropriate security of the personal data. The GDPR also states that the controller should be able to demonstrate compliance.

GDPR, Article 5 Paragraph (1), Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency'); 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation');

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy'); 

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). 

GDPR, Article 5, Paragraph (2) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').

This 'toon was inspired and contributed by Helen Haddon and Lucy Kendall of www.ComplyGDPR.com.

Wednesday, November 15, 2017

GDPR Using Standardized Icons In Order To Give In An Easily Visible, Intelligible And Clearly Legible Manner, A Meaningful Overview Of The Intended Processing.


The GDPR specifically provides for "icons" to be used to help explain if a person will be obligated to provide personal data and what the consequences will be. There is also quite a bit of discussion as to the utility of such icons, questioning if they will just create more confusion.

The sections of the GDPR addressing the use of icons are referenced below;

GDPR Citation (60) "The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable. "

GDPR Citation (155)"In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council. "

Article 12 Paragraph 6. "The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable."

Article 12 Paragraph 7. "The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons."

Article 70,Tasks of the Board, Paragraph 1(r)" provide the Commission with an opinion on the icons referred to in Article 12(7); "