Monday, April 2, 2018

GDPR Is Still ALIEN To Many, With Fines That Are Out Of This World



On May 25, 2018, the General Data Protection Regulation (GDPR) will become a global law.

The regulation applies to the collection, processing and movement of personal data for individuals residing in 32 European States. (28 EU States + 4 other European States). If your company has prospects or customers in these States, you most likely have exposure and are mandated to comply, or risk severe penalties and fines.

GDPR Citation (2) states the following;

(2) The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons. 

Why has this become an issue?

GDPR Citation (6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data. 



GDPR Citation (7) Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced. .

Tuesday, November 28, 2017

GDPR Addresses Joint Controllers With Joint Responsibility



The GDPR specifically addresses when more than one controller is involved with the processing of an individual's personal data. In addition to the overlap of data processing responsibilities, liabilities are also shared, including the data subject's rights to compensation. GDPR Article 26 (Joint Controllers) and GDPR Article 82 (Right to compensation and liability) are included below for reference.


Article 26 - Joint Controllers

1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects. 

2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject. 

3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers. 

(Inspired by Surkan Krut, privacy lawyer, CIPP/E, CIPM, freelance consultant specializing in Joint Control.)

Tuesday, November 21, 2017

GDPR Balancing Act Of Principles For Collecting Personal Data


As illustrated above, a Controller has the responsibility of balancing six basic principles involving the collection of personal data, as well as being able to demonstrate compliance. 

The basic priciples of GDPR state that the collection of personal data shall be done lawfully, fairly and in a transparent, for specified, explicit and legitimate purposes, adequate, relevant and limited, accurate, 'storage limitation', In a manner that ensures appropriate security of the personal data. The GDPR also states that the controller should be able to demonstrate compliance.

GDPR, Article 5 Paragraph (1), Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency'); 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation');

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy'); 

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). 

GDPR, Article 5, Paragraph (2) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').

This 'toon was inspired and contributed by Helen Haddon and Lucy Kendall of www.ComplyGDPR.com.

Wednesday, November 15, 2017

GDPR Using Standardized Icons In Order To Give In An Easily Visible, Intelligible And Clearly Legible Manner, A Meaningful Overview Of The Intended Processing.


The GDPR specifically provides for "icons" to be used to help explain if a person will be obligated to provide personal data and what the consequences will be. There is also quite a bit of discussion as to the utility of such icons, questioning if they will just create more confusion.

The sections of the GDPR addressing the use of icons are referenced below;

GDPR Citation (60) "The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable. "

GDPR Citation (155)"In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council. "

Article 12 Paragraph 6. "The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable."

Article 12 Paragraph 7. "The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons."

Article 70,Tasks of the Board, Paragraph 1(r)" provide the Commission with an opinion on the icons referred to in Article 12(7); "

Friday, November 10, 2017

GDPR Needs To Certify The Certifiers... Through The Certification Bodies



As mentioned in a previous post, the GDPR encourages the establishment of data protection certification (Article 42, Paragraph 1), and it outlines the criteria for setting up the certification bodies (Article 43), however, these accredited certification bodies have been slow to surface.

With only a few months to go, this is surprising because Certification is an integral part of the GDPR fabric. For example, GDPR references approved certification as a mechanism may be used as an element to demonstrate compliance within these sections;

Processor's Obligations With The Controller, [Citation (81)]
Responsibility Of The Controller, [Article 24, Paragraph 3]
Data Protection By Design And By Default, [Article 25, Paragraph 3]
Processor's Capability, [Article 28, Paragraph 5]
Security of Processing, [Article 32, Paragraph 3]
Guiding the imposition of administrative fines,  [Article 83, Paragraph 2(j)]

Articles 42 and 43 are listed below.

Article 42 Certification

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account. 

2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects. 

3. The certification shall be voluntary and available via a process that is transparent. 

4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56. 

5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal. 

6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure. 

7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met. 

8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means. 


Article 43 Certification bodies 

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following: 

(a) the supervisory authority which is competent pursuant to Article 55 or 56; 

(b) the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (1) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to Article 55 or 56. 

2. Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have: 

(a)  demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority; 

(b) undertaken to respect the criteria referred to in Article 42(5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63; 

(c) established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks; 

(d) established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and 

(e) demonstrated, to the satisfaction of the competent supervisory authority, that their tasks and duties do not result in a conflict of interests. 

3. The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of criteria approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies. 

4. The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article. 

5. The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification. 

6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board. The Board shall collate all certification mechanisms and data protection seals in a register and shall make them publicly available by any appropriate means. 

7. Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation. 

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1). 

9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2). 

Thursday, November 9, 2017

GDPRtoons.com Turns 100 Today.... (100 Days)



This project, www.GDPRtoons.com, started as way to communicate the nuances and details of GDPR to our international clients that have potential exposure.  The purpose of the site is to create awareness and facilitate the discussion of GDPR's complexities.

In the last 100 days, we have received thousands of views and reposts, along with hundreds of requests for use of the 34 posted cartoons, in presentations. We openly endorse sharing if the copyright is displayed. We graciously received dozens of ideas and inspirations from around the world. Thank you for all of your help and support, respectfully, Brent Dreyer, Direct Services Inc. (now back to work!)