GDPR News Center News for 06-30-2018

Data protection reform

The data protection reform package includes the General Data Protection Regulation and the Data Protection Directive for the police and criminal justice sector. The Data Protection Directive guarantees an effective protection of the fundamental right to data protection. The right to know when one’s data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures. Data protection by design and by default: ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules. With the Data Protection Reform: The right to data portability will make it easier for potential customers to transfer their personal data between service providers. 

SMEs need not appoint a data protection officer unless their core activities require regular and systematic monitoring of the data subjects on a large scale or if they process special categories of personal data such as that revealing racial or ethnic origin or religious beliefs. With the current rules: France’s data protection laws would apply to the processing done by head office, but individual shops would still have to report to their national data protection authority, to confirm they were processing data in accordance with national laws in the country where they were located. With the Data Protection Reform: The data protection law across all 14 EU countries will be the same – one European Union – one law. The new data protection rules provide businesses with opportunities to remove the lack of trust that can affect people’s engagement with innovative uses of personal data. With the current rules:The data protection safeguards upon data controllers vary substantially from one Member State to another. 

The Directive protects citizens’ fundamental right to data protection when data is used by criminal law enforcement authorities. The Commission will work together with the Member States and the Data protection authorities – the future European Data Protection Board- to ensure a uniform application of the new rules. 

Keywords: [“data”,”protection”,”personal”]
Source: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm

All About the GDPR

While deregulation has been a stateside trend over the past decade, the 28 members of the European Union are gearing up for a massive increase in regulations around data privacy in the form of the General Data Protection Regulation – and this regulation will make a splash across the pond as well. The GDPR, set to go into effect on May 25, 2018, is the product of four years of debate and preparation – but its roots trace back more than two decades to the infancy of the internet, when the EU first began protecting data. The GDPR will replace a 1995 regulation that was put into place when Netscape ruled the web, well before data giants like Google and Amazon began to flex their marketing muscles. The EU is hoping to keep up with those data giants and those changes, ensuring its citizens can be confident in their privacy and security. Like its predecessor, the GDPR is built on the premise that private information actually is, or should be, private and that individuals have rights surrounding this data. 

Even though it’s come a long way from its analog origins, one can argue that it is hardly a comprehensive way to manage data privacy. If it’s your personal data, it’s protected under the new regulation. Marketing in the digital age is all about data, so yes, the GDPR will complicate the job of marketers and can potentially jeopardize your business if you’re not careful. Es or any other EU nation suffix – or if you start accepting euros or pounds sterling or Danish Krones, the GDPR will likely apply to the data involved in those sites and transactions. Marketers need to be aware that the data they collect must have been acquired with consent, and it must be relevant to a specific purpose. 

To maintain GDPR compliance, marketing databases will need constant scrubbing and/or additional consent – a wakeup call for marketers who have been building large, all-encompassing lists based on any and all contact data. Regardless of a little extra work, the raison d’être of the GDPR remains solid: A thriving economy in this new digital, data-driven world requires participants who are confident of their privacy – who feel their personal data belongs to them and trust the businesses they interact with. 

Keywords: [“data”,”GDPR”,”marketer”]
Source: https://martechtoday.com/all-about-the-gdpr-212787

Moodle’s GDPR approach and plan

Here we outline Moodle’s approach and plan for the implementation of support for the EU General Data Protection Regulation. Earlier this year we reached out to the community through our forums and social media to gauge the needs of different organisations on how they would need to comply with GDPR. We received direct input from a number of Moodle institutions, our Moodle Partner network and developers. During the summer we put together an initial plan on what developments are needed to enable organisations using Moodle to comply with GDPR and then sought more feedback. We have also engaged a specialist lawyer from Europe on a consultancy basis who has a strong background in data protection and data privacy to examine the specifications and make recommendations on where they can be improved to better enable organisations to be GDPR compliant. 

We now have a plan to meet those needs and are scheduling the development within our Open Source team under the lead of Sander Bangma, our new Open Source coordinator. The PlanWe have a set of features now in development which will meet those compliance needs covering the following areas: onboarding of new users, privacy statements, the tracking of consent and handling of subject access requests. A request to erase all identifiable user data on Moodle. We will be releasing these plugins, scheduled for March 2018, which will enable those using Moodle 3.3 and 3.4 to become compliant with the new regulations by installing and configuring the plugins in addition to implementing the required organisational procedures and processes. These features will then become part of Moodle 3.5 release which is a Long Term Supported version of Moodle. 

In March 2018 Moodle released the first iteration of its GDPR feature set in the form of the two plugins. These continue to be updated as we work towards the Moodle 3.5 release on May 14th. The final GDPR feature set will be available as downloadable plugins for Moodle 3.3 and 3.4 and will also form part of the Moodle 3.5 release itself. Installing the plugins alone is not going to be enough to meet the GDPR requirements. 

Keywords: [“Moodle”,”GDPR”,”Data”]
Source: https://moodle.com/news/moodle-gdpr-approach-plan

GDPR News Center News for 06-29-2018

Three Workday Features That Support GDPR

In addition to providing people with greater protections around their data, organizations will have to change how they store, handle, and share data. After GDPR goes into effect, not much changes for Workday customers with respect to any applicable cross-border data transfer flows of personal data to Workday for processing. Workday has had a global data protection program built-in from day one. We have individual agreements around privacy with our customers, and under GDPR, Workday also has direct responsibilities outlined by the regulation. We also know we must continue to evolve with new features that meet organizations’ ever-changing data protection challenges. 

In response to German and Nordic customers needing to satisfy requests from works councils-company-specific labor groups-in those countries, Workday has developed a configurable feature that can restrict managers’ access to certain data only to those who fundamentally need it for their role. The main purpose of privacy purging is to help customers meet their privacy requirements and satisfy the right to be forgotten-soon to become enshrined by GDPR. We have extended privacy purging so that customers using Workday Recruiting can now purge out candidate and prospect information quickly and efficiently. To meet the needs of GDPR, in Workday 29 we added in the ability for organizations to purge active worker data, such as national and government IDs, sexual orientation, gender identity, gender pronoun, race, ethnicity, religion, and disability, should an employee request the removal of this information. That’s why we ensured that the view audit feature was made available in Workday a full year before the GDPR deadline. 

Finally, from a privacy perspective, having the ability to see who viewed exactly what data and when is the cornerstone of good GDPR practice. Nothing happens in Workday without the system capturing it and making the audit trail easily accessible to those who need it via a standard report. As May 25 approaches, businesses should use this opportunity to think not only about how they reach GDPR compliance, but how their current technologies and processes could be transformed through more efficient data handling and processing. 

Keywords: [“data”,”Workday”,”privacy”]
Source: https://blogs.workday.com/three-workday-features-that-support-gdpr

Five steps to GDPR compliance

For any organisations processing personal data the General Data Protection Regulation is important news. Agreed upon just days ago, after years of negotiations, the GDPR is the biggest legal change of the digital age. This European Union law has global scope, covering any organisation that provides goods or services to the EU or gathers information concerning EU citizens, and covers a wide range of issues relating to personal data, such as privacy, monitoring and security. It compels businesses to provide data in a form suitable for use by a competing service provider, disclose personal data breaches within 72 hours and encrypt the data they hold. The legislation is welcome news for consumers who will get more say over how their data is handled, more rights to be forgotten and increased visibility of data breaches. 

Many organisations are just beginning to get to grips with personal data capture and use, and the sophisticated level of monitoring and policing that the new legislation mandates will really stretch their competencies. Businesses starting from a very low baseline of compliance will need at least this amount of time to implement wide-ranging changes to how they process, secure, protect and report on the data they hold. Escalate to the top of the business: It’s crucial that the board understands the enormity of these potential changes, the resource needed to transform the way the organisation handles personal data, and the risks of not complying. Assume full responsibility: The law will hold organisations fully responsible for meeting the new data requirements, so make sure you review existing systems, procedures and contracts with cloud vendors to avoid hefty fines. Appoint a project owner: Depending on the level of change required in your business, consider appointing a project owner, a Chief Data Officer or an external partner to oversee GDPR-readiness. 

Welcome GDPR as an opportunity: Personal data is increasingly at the heart of a modern organisation’s operations, and this is an excellent time to make sure the level of protection in place is fit for the new digital era. Data processes should be at the top of the CIO’s agenda right now, rather than just before the regulations come into force. 

Keywords: [“data”,”organisation”,”personal”]
Source: https://www.helpnetsecurity.com/2016/04/19/gdpr-compliance

Make sure you’re ready for GDPR

The GDPR includes a more detailed list of requirements that must be provided in a privacy notice than those required under the Data Protection Act 1998. Cover all the new rights under the GDPR;.require more rigorous monitoring of data, with details on how staff or clients report breaches and confirm deletion of data; and. If your new company data protection policy – and details of how you expect your employees to handle data or report breaches – is not dealt with in a staff handbook, it should also be added to employment contracts, says Holden, who points out that interns and volunteers are equally affected. An employer’s existing legal responsibility to keep employee data safe is tightened even further under the GDPR, with greater emphasis on demonstrating that they have appropriate security measures in place. Experts advise a review of all data security, including firewalls, passwords, software and encryptions used to protect personal data. 

Organisations may choose to use pseudonymisation – a new technique under the GDPR that replaces or removes information that would otherwise enable a third party to identify an individual – to keep data secure and anonymous. Given the imbalance of power between employees and employers, says Holden, it will be difficult for consent to be freely given, meaning it is unlikely to provide a valid basis for processing HR data. Keystone Law employment lawyer Rachel Tozer warns that for employers to be able to process ‘special personal data’ they need to be able to rely on one of the lawful purposes, as well as a ground for processing special personal data. Employers panicking over how they use data should be assured that they can take systematic steps, even in the tightest timeframe, to audit their data use and put the right mechanisms in place. Appoint a data protection officer to head this team – they will have overall responsibility for GDPR compliance. 

The GDPR lacks specific procedures and precise definitions, so use other compliance standards and frameworks, such as the Payment Card Industry Data Security Standard, as a starting point. The GDPR asks businesses to carefully weigh the benefits of processing data a certain way against the attendant risks. 

Keywords: [“data”,”employee”,”process”]
Source: https://www.peoplemanagement.co.uk/long-reads/articles/ready-for-gdpr

GDPR News Center News for 06-28-2018

Introduction to GDPR compliance for media relations

In the UK our existing data protection law is quite strong but in some other European countries it was quite weak, the GDPR creates an ‘level playing field’ across Europe. To summarise, GDPR is all about getting organisations to give due respect the personal data that they process. GDPR places strict conditions on processing data of this type and generally we don’t process sensitive personal data at ResponseSource. This distinction existed to an extent under previous data protection law but under GDPR there is no distinction between business and consumer personal data – it’s all treated the same. The UK government is committed to GDPR despite Brexit because if nothing else you only have to store one person’s data who happens to reside in the EU to have to comply completely with GDPR. 

UK PLC will have a great deal of difficulty trading with the EU if we don’t comply. GDPR does tighten things up and does give greater powers to each country’s data protection watchdog. Consent is one basis for processing personal data under GDPR, and the one that most organisations intending to store data relating to potential customers will have to adhere to, but it is not the only one. They must comply with GDPR in every other way – for example only processing relevant data, keeping data up-to-date and acting on change or delete requests swiftly and efficiently. GDPR tightens up the rules on ‘subject access requests’ – where people can access what is held about them, demand corrections or have data deleted. 

GDPR beefs up the requirements to store personal data securely. This does not mean PRs need consent from journalists before distributing genuine media pitches via our Media Contacts Database but they do need to have a GDPR compliant data protection policy, live by it and maintain data securely. Possibly more important than anything else is the need to get your team to understand the spirit of GDPR. They must live and breathe respect for people’s data, ensure your entire team understands the main concepts of GDPR so they can make the right judgements in terms of keeping people informed about how their data is used, the importance of data accuracy and security, crucially, abide by your data protection policy. 

Keywords: [“Data”,”GDPR”,”personal”]
Source: https://www.responsesource.com/blog/gdpr-compliance-media-relations

GDPR Commitment

The General Data Protection Act is considered to be the most significant piece of European data protection legislation to be introduced in the European Union in 20 years and will replace the the 1995 Data Protection Directive. The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data. 

In summary, here are some of the key changes to come into effect with the upcoming GDPR:. Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard. Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors. Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations. 

New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals. Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues. 

Keywords: [“Data”,”GDPR”,”organizations”]
Source: https://www.hotjar.com/legal/compliance/gdpr-commitment

trewknowledge/GDPR: This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer with efforts to meet the obligations and rights enacted under the GDPR.

This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer with efforts to meet the obligations and rights enacted under the GDPR. Documentation. Re-assignment of user data on erasure requests & pseudonymization of user website data. Right to access data by Data Subject with front-end requests button & double opt-in confirmation email. Data breach notification logs and batch email notifications to Data Subjects. 

The Access Data tool allows the Admin to look up a user email and view the data of a particular user. Data breach notifications are also logged to all Data Subjects upon confirmation by Controller. In case of a data breach, the Admin can generate a Data Breach Notification to users by logging the information and confirm the breach through a double opt-in confirmation email. Activating this plugin does not guarantee that an organization is successfully meeting its responsibilities and obligations of GDPR. Individual organizations should assess their unique responsibilities and ensure extra measures are taken to meet any obligations required by law and based on a data protection impact assessment. 

Frequently Asked Questions What is GDPR. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. The GDPR defines personal data as any information or type of data that can directly or indirectly identify a natural person’s identity. No, this plugin is meant to assist a Controller, Data Processor, and Data Protection Officer with efforts to meet the obligations and rights enacted under the GDPR. 

Activating this plugin does not guarantee that an organisation is successfully meeting its responsibilities and obligations of GDPR. Organisations should assess their unique responsibilities and ensure extra measures are taken to meet any obligations required by law and based on a data protection impact assessment. 

Keywords: [“Data”,”Cookie”,”user”]
Source: https://github.com/trewknowledge/GDPR

GDPR News Center News for 06-27-2018

Troy Hunt: Free course: The GDPR Attack Plan

The General Data Protection Regulation is an EU reg that kicks in on 25 May 2018 so we’ve got bang on a year to get organised. It’s important within the EU because it relates to how data of their citizens and residents is handled and it’s important outside the EU because the regulation can impact non-EU organisations too. In other words, if you screw up your security bad enough and fail to protect customer data, you may face a fine that really stings. In other words, no sneakily grabbing their data and using it in ways they wouldn’t expect. There’s a lot more to it than that, of course, but the main theme that runs throughout GDPR though is giving people back control of their data. 

As of today, there’s going on 3.8 billion records of data in the system. I have no idea how much of the data is from where in terms of countries of origin. In short, I have absolutely no way of consistently and reliably identifying Europeans in the data. Here’s the aspect of GDPR that I think is particularly interesting and it relates to this whole extraterritoriality thing, that is how it applies outside of the EU. Drawing directly from the published regulation, here’s what GDPR says about handling EU folks’ data outside of the EU:. 

the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. For those entirely unfamiliar with GDPR, the controller is the organisation that collects data from the data subjects, whilst the processor can be the likes of a cloud provider on which the service in question runs. The use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union. There’s a lot of European data in there simply by virtue of Europe being on the internet, not because I’m specifically curating a European audience. 

Keywords: [“Data”,”GDPR”,”how”]
Source: https://www.troyhunt.com/free-course-the-gdpr-attack-plan

What GDPR means to Office 365

As we saw on August 3, even the largest software operations like Office 365 can have a data breach. Companies need to know what personal data they hold, make sure that they obtain consents from people to store that data, protect the data, and notify authorities if data breaches occur. The definitions used by GDPR are quite broad. To move from the theoretical to practicality, an organization needs to understand what personal data it holds for its business operations and where they use the data within software applications. Auto-label policies to find and classify personal data as defined by GDPR. 

Retention processing can then remove items stamped with the GDPR label from mailboxes and sites after a defined period, perhaps after going through a manual disposition process. Content searches to find personal data marked as coming under the scope of GDPR. Alert policies to detect actions that might be violations of the GDPR such as someone downloading multiple documents over a brief period from a SharePoint site that holds confidential documentation. As mentioned above, you can create a classification label to mark personal data coming under the scope of GDPR and then apply that label to relevant content. If you have Office 365 E5 licenses, you can create an auto-label policy to stamp the label on content in Exchange, SharePoint, and OneDrive for Business found because documents and messages hold sensitive data types known to Office 365. 

Figure 1 shows how to select from the set of sensitive data types available in Office 365. Microsoft has plans to expand the Office 365 data governance framework to other locations over time. The GDPR requirement to erase data on request means that administrators might have to release holds placed on Exchange, SharePoint, and OneDrive for Business locations to remove the specified data. GDPR will effect Office 365 because it will make any organization operating in the European Union aware of new responsibilities to protect personal data. The nature of regulations like GDPR is that training and preparation are as important if not more important than technology to ensure that users recognize and properly deal with personal data in their day-to-day activities. 

Keywords: [“Data”,”GDPR”,”personal”]
Source: https://www.petri.com/gdpr-office-365

Europe fires back at ICANN’s delusional plan to overhaul Whois for GDPR by next, er, year The Register

Special report On March 26 – two months before new privacy protections come into effect in Europe – Goran Marby, CEO of DNS overlord ICANN, sent a letter [PDF] to each of Europe’s 28 data protection authorities asking them to hold off punishing it over Whois. Whois is a set of databases of domain-name owners, overseen by ICANN, and it contains people’s personal information such as their names and contact addresses. ICANN isn’t quite sure what to do yet, hence its request for a stay of enforcement. ICANN then solicited input from other groups – including the US government – to back up its idea and took a series of letters along with a proposed timeline showing a one-year moratorium to a meeting of the Article 29 Working Party in Brussels. In a new statement, provided by the Article 29 Working Party to The Register on Thursday following its meeting with ICANN earlier this week, the group is clearly baffled by ICANN’s repeated requests for something that doesn’t exist. 

ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law. Despite the GDPR legislation being finalized in May 2016, it wasn’t until September 2017 that ICANN finally started taking it seriously when it hired a European law firm, Hamilton Advokatbyrå, to look into the issue. The next month, the organization started panicking when Hamilton told ICANN that it and all its contracted parties were going to be breaking Euro law come May 2018 and could be fined millions of dollars over its Whois service. It seems unlikely given their expertise and the fact it was them that first warned ICANN that it had wrongly persuaded itself that it was not affected by the new law. The GAC rejected that responsibility largely because within ICANN every major decision is supposed to be decided by all the different groups. 

During the lengthy meeting, much of it focused on GDPR, there was no mention of a moratorium, nor of asking the European authorities to give ICANN a special extension. The first mention of any kind of delay came in a comment by an ICANN board member two days later at a public forum [transcript] – by which point it had become clear that ICANN’s proposed interim model was not going to be approved in time. 

Keywords: [“ICANN”,”moratorium”,”data”]
Source: https://www.theregister.co.uk/2018/04/27/europe_icann_whois_gdpr

GDPR News Center News for 06-26-2018

Customer personal data is completely safe with Rocketseed

Data subjects have the right to information about the processing of their personal data. The right of access of data subjects is limited partly by the right of the Data Controller to require the data subject to specify the information or processing activities to which data access is required. Where consent is the lawful basis for processing, the data subject has the right to retract consent to processing of personal data at any given time. If consent is retracted, the Data Controller must cease processing of the relevant personal data for the purpose for which consent was obtained. As a Data Processor, Rocketseed, as the provider of the email software only, will refer any request for the right of access to personal data being processed to its customer, as the Data Controller. 

A Data Processor is a legal entity processing personal data on behalf of a Data Controller. Although Rocketseed has had established processes and procedures for personal data protection, like other businesses, it is taking a full audit of all its legal, technical and internal processes to make sure existing practices comply fully with GDPR. With specialist legal advice, we are updating our agreements including our licence agreements, data processing agreements and employment contracts to meet the required implementation date of 25 May 2018. Data Processing Agreements, between both Rocketseed and its licenced customers and between Rocketseed and its processing suppliers, will become key links in the processing of protection of personal data. GDPR stipulates significant requirements for the implementation of security measures related to the storage of personal data by the Data Processor. 

As Rocketseed sub-contracts the management of separate servers running the Rocketseed and RocketMailer software, it will be ensuring that its sub – processors provide security for personal data from external attack and accidental destruction, by establishing digital and physical measures to protect the integrity of the stored customer personal data. Rocketseed, in the role of Data Processor, continues to work proactively to secure the continuing best protection of our customer personal data so that you can be sure that your data is safe with us. Customer personal data is completely safe with Rocketseed. 

Keywords: [“data”,”Personal”,”process”]
Source: https://www.rocketseed.com/gdpr

GDPR Data Breach Guidelines

This is fairly standard language found in any data privacy law – first define a data breach or other cybersecurity event. In the case of the GDPR, breaches can only involve personal data, which is EU-speak for personally identifiable information or PII. If your company is under the GDPR and it experiences an exposure of top-secret diagrams involving a new invention, then it would not be considered a personal data breach and therefore not reportable. I’ve read through the guidance, and just about everything you would intuitively consider a breach – exposure of sensitive personal data, theft of a device containing personal data, unauthorized access to personal data – would be reportable to regulators. Say EU personal data becomes unavailable due to a DDoS attack on part of a network or perhaps it’s deleted by malware but there is a backup, so that in both cases you have a loss albeit temporary – it’s still a personal data breach by the GDPR’s definition. 

As we all know, ransomware encrypts corporate data for which you have to pay money to the extortionists in the form of Bitcoins to decrypt and release the data back to its plaintext form. In the GDPR view, as I suggested above, ransomware attacks on personal data are considered a data loss. According to the examples they give, it would be reportable under two situations: 1) There is a backup of the personal data but the outage caused by the ransomware attack impacts users; or 2) There is no backup of the personal data. In terms of Venn diagrams and subsets, we can make the statement that every personal data breach that is individually reported also has to be reported to the supervising authority. If the personal data breach involves name and address of customers of a retailer who have requested delivery while on vacation, then that would be a high risk, and would require the individuals to be contact. 

The first key point is that the clock starts ticking after the controller becomes aware of the personal data breach. Then there’s an investigation to see if personal data was breach. Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;. 

Keywords: [“Data”,”breach”,”personal”]
Source: https://blog.varonis.com/guide-eu-gdpr-breach-notification-rule

GDPR for Operations

The good news is that many of the provisions of GDPR are not dissimilar from the provisions of the Data Protection Directive that it replaces. GDPR expands on these basics, requiring that individuals be given the right to know more about how you’re using their data; to request copies of data about them; and to request that you delete data about them. You probably have a good idea of what personal data exists in your primary data stores, and how that data is linked with relations, but it might be less obvious which of those items of data could end up in your logs. Bear in mind that under GDPR rules, device identifiers, IP addresses, postcodes, and so forth could be considered personal data since they could be used to single out an individual, so consider those too. Under the right to erasure, a data subject can ask to have data about them removed. 

You’ll want to ask a friendly lawyer about this, but from my own research into the subject, it looks like it should be reasonable to remove data from production databases, and inform the data subject that whilst their data will still exist in backups, that these will be aged out in 30 days, or whatever, according to your retention policy. In the event that you need to restore from backups, you’d need to erase that data subject’s data again, and so erased subjects would need tracking, at least for the length of your retention policy. Allowing all your developers access to your full data set is definitely a no-no with GDPR. There exist commercial solutions to take a data set and mask sensitive data as part of an ETL operation into another database. If you’re using SaaS logging providers, for example, be aware that you may be passing personal data outside of your network, and that they also then have obligations to your data subjects. 

GDPR is an unavoidable fact of life for anyone working with data about EU citizens. Taking care of this personal data is an organisation-wide responsibility, but in the operations part of the business we can provide a lot of supporting tools to help deal with the multiple facets of this problem. GDPR doesn’t substantially extend the provisions of the Data Protection Directive, and so a lot of what I’ve described here is good practise that you should already be following. 

Keywords: [“Data”,”log”,”access”]
Source: https://www.infoq.com/articles/gdpr-for-operations

GDPR News Center News for 06-25-2018

Personal information under GDPR: What it is

We hear of personal data, personally identifiable information, PII, and sensitive personal data. All PII is personal data but not all personal data is PII. Personal data in the context of GDPR covers a broader range of information. To comply with GDPR you need to look at the broader context of what personal data is and that includes PII as well as other forms of personal data. With reference to the GDPR meaning of personal information, it also determines the type and amount of data that you can collect, process, and store. 

Under DPD, the definition it is a little vague as to whether data such as IP addresses, cookies, and device IDs are classified as personal data. Under the GDPR, this data is classified as personal. It is defined in the GDPR under Personal Data and Unique Identifiers. ‘Personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Encryption does not convert personal data to non-personal data. Genetic and biometric data categories under the GDPR are classified as sensitive personal data. 

Linked personal data examples Linkable personal types Sensitive Full name First name only Biometric data Date of birth Last name only Racial data Residential Address A portion of the address Health data Telephone number Age Category not specific Ethnic origin Email Address Place of work Political opinions Passport number Position at work Religious or philosophical belief Identification number IP address Trade union details Drivers Licence number Device ID Genetic data Social security number Sexual preference Banking/card numbers Privacy regulations, not only GDPR, are hitting home hard. You just need to remember that personal data under the GDPR clarifies much more information than it did under the DPD and incorporates more than the American definition of PII. You need to address the broader context – all the data categories and their specific requirements to type, storage, collection, and processing. 

Keywords: [“Data”,”personal”,”information”]
Source: http://techgenix.com/personal-information-under-gdpr

How Microsoft tools and partners support GDPR compliance – Microsoft Secure

As an Executive Security Advisor for enterprises in Europe and the Middle East, I regularly engage with Chief Information Security Officers, Chief Information Officers and Data Protection Officers to discuss their thoughts and concerns regarding the General Data Protection Regulation, or GDPR. In my last post about GDPR, I focused on how GDPR is driving the agenda of CISOs. This is based on how Microsoft technology can support requirements about collection, storage, and usage of personal data; it is necessary to first identify the personal data currently held. Office 365 includes powerful tools to identify personal data across Exchange Online, SharePoint Online, OneDrive for Business, and Skype for Business environments. Windows 10 and Windows Server 2016 have tools to locate personal data, including PowerShell, which can find data housed in local and connected storage, as well as search for files and items by file name, properties, and full-text contents for some common file and data types. 

The tool provides an in-depth analysis of an organization’s readiness and offers actionable guidance on how to prepare for compliance, including how Microsoft products and features can help simplify the journey. The Microsoft GDPR Detailed Assessment is intended to be used by Microsoft partners who are assisting customers to assess where they are on their journey to GDPR readiness. In a nutshell, the GDPR Detailed Assessment is a three-step process where Microsoft partners engage with customers to assess their overall GDPR maturity. The Microsoft GDPR Detailed Assessment is intended for use by Microsoft partners to assess their customers’ overall GDPR maturity. Customers are responsible to ensure their own GDPR compliance and are advised to consult their legal and compliance teams for guidance. 

This tool is intended to highlight resources that can be used by partners to support a customer’s journey towards GDPR compliance. To address these challenges, Microsoft announced a new compliance solution to help organizations meet data protection and regulatory standards more easily when using Microsoft cloud services – Compliance Manager. Image 7 shows a dashboard summary illustrating a compliance posture against the data protection regulatory requirements that matter when using Microsoft cloud services. 

Keywords: [“Data”,”Microsoft”,”GDPR”]
Source: https://cloudblogs.microsoft.com/microsoftsecure/2017/12/19/how…

An Introduction to GDPR and Elasticsearch, the Elastic Stack

Replacing the previous 1995 EU Data Protection Directive, GDPR was developed in recognition of the increasing need to protect the rights and personal data of each individual EU resident. GDPR is becoming increasingly recognized as regulation that will be leveraged to stem the increasing number of damaging data breaches reported across a variety of sectors. While previously compliant organizations may find many similarities to the earlier Directive, GDPR brings in some significant changes to the way personal data can be handled, rules on how breaches must be reported, and hefty penalties for non-compliance. EU and Non-EU establishments may be affected by GDPR depending on their business models, geographical reach, and the subjects from which they control or process data. GDPR defines roles or personas in terms of Data Subjects, Data Controllers, Data Processors, Sub-processors, and Authorities. 

Data Subject: Persons in the EU. Data Controller: Controls purpose and means of processing. Direct responsibility to data subject and data protection authority. GDPR seeks to build on some of the key pillars of the current Data Protection Directive by significantly enhancing the rules around the processing and storage of personal data. The rules for handling data breaches within the GDPR framework are clear: organizations must inform their local data protection authority of a breach within 72 hours of detection. 

Transfers of Personal Data out of the EU to a country that is not deemed to provide an adequate level of protection are only permitted if the controller or processor provide appropriate safeguards as described in the GDPR. These safeguards may include standard data protection clauses adopted by the European Commission, binding corporate rules, or an approved self-certification program such as the EU-US Privacy Shield. The simplified model below summarizes the decision process a GDPR Affected organization may consider when determining how it treats Personal Data. In future posts in this series, we’ll cover additional GDPR-related topics such as data onboarding, GDPR pseudonymization, and access controls for GDPR. For additional reading now, please check out our new white paper, GDPR Compliance and the Elastic Stack, or get in touch with an Elastic expert. 

Keywords: [“data”,”GDPR”,”personal”]
Source: https://www.elastic.co/blog/introduction-to-gdpr-with-elasticsearch

GDPR News Center News for 06-24-2018

Experian Business Assist

As one of the UK’s largest data providers, you can trust Experian to only provide you with the highest quality marketing data, in accordance with the latest GDPR guidance. 1) Data sources collect data under GDPR to pass onto experian. The NBD is a comprehensive collation of UK company data, with over 5million records that combine business data from over 10 different sources. These data sources are legally processing data under the GDPR to pass the ‘individuals’ data to Experian. Once Experian hold this data, we process the data under a ‘legitimate interest of a marketing company’, which means we can provide this data to our customers if we protect the rights of the data subject – which we do through our policies & procedures, and the terms & conditions under which we licence our data to our customers. Don’t forget…. 

You should always remember that the provision of Marketing data from Experian does not absolve our customers of their obligations under GDPR. You should ensure you are aware of all your obligations in relation to UK and EU regulations and the use of any data purchased from Experian, referring to ICO for information and guidance. GDPR ensures any business that trades within the EU, processes personal data in the same way, with strict penalties for those who breach legislation or their own data processes. For Experian’s National Business Database, this means we are working closely with our data suppliers to ensure that data is collected in a compliant manner and continues to be available to Experian and our clients. National Business Database – Experian’s National Business Database is a comprehensive collation of UK company data, with over 5million records that combine company data from over 10 different sources. 

Marketing communications using legitimate interest must then operate on an unsubscribe or opt-out basis, and follow the other data processing rules from GDPR. Experian will process data under legitimate interest and provide it to our customers on this basis. Experian’s Data Validator helps with compliance by enabling you to regularly check that data you purchased from Experian is still considered valid to contact. Data Validator is a tool within Experian B2B Prospector, which checks to see if your purchased data still exists as a valid record in Experians National Business Database. 

Keywords: [“data”,”Experian”,”GDPR”]
Source: https://www.experian.co.uk/business-express/gdpr

How is SiteGround Getting Ready for the GDPR

The use of our personal data by big companies is indisputably the hottest topic right now and we don’t think anyone doubts the importance of regulations to prevent abuse and enhance the security of that data. The European General Data Protection Regulation – GDPR, which will take effect on May 25, 2018 is aiming to do exactly that – regulate how personal data of individuals in EU territory gets collected and used. When a user signs up for a free or paid service, for an app or else, and provides their personal data, the provider of the service has to notify them explicitly how their personal data will be used before they complete the registration. The Hard Bureaucracy Around the GDPR. The GDPR by design has been aiming to regulate activities of the big companies like Google and Facebook that process insane amounts of personal data and are using it to generate significant gains, but at the end of the day it affects everyone – every small business that works with any personal data. 

We have to guarantee that we collect, store and work with our clients’ data in a legitimate way and that our clients are informed how exactly we do that. The GDPR says we have to inform clients what data we collect about them and legitimize how we use it afterwards. Based on how standard operations are organized, EU clients’ data may be transferred to and processed by our US entity as well, for example you may choose to host your site in our US data centers. The way we regulate this is through Standard Contractual Clauses*, which will be included in all contracts between our entities to guarantee the transfer of data is compliant with the GDPR requirements. The client controls the data and how that data gets collected and used, but SiteGround stores it on our servers hence take part in its processing. 

The new data processing agreement will regulate our processing of that data only for the purposes of delivering the hosting service and resolving technical inquiries and no other secondary functions, which has always been the case. As a client you should also be able to see what data we store about you, update it and, where we rely on your consent for processing the data, you can withdraw your consent to that use. The GDPR says we need to assign a Data Privacy Officer to make sure we are compliant with the regulations and handle complaints. 

Keywords: [“data”,”GDPR”,”client”]
Source: https://www.siteground.com/blog/gdpr-siteground-getting-ready

Event & Hospitality Professionals

For over 18 years, Cvent has been committed to protecting the privacy and security of customer and attendee information, including processes and safeguards relevant to personal data. Cvent has implemented a very robust set of policies, procedures, and protocols in order to ensure that you and your clients’ data remain safe and confidential, including using industry leading 256-bit encryption to secure all client data, both at rest and in transit, using two-factor authentication, and more. Cvent has demonstrated compliance with rigorous third-party security frameworks and standards including ISO 27001:2013, PCI DSS Level 1 and SSAE18 SOC 1 Type II. We will continue to seek additional certifications and accreditations that are important to our customers. Another way we protect our clients, is by entering into Data Processing Agreements/Model Clauses with each of clients and sub-processors. 

These agreements permit our clients to continue to transfer data to Cvent without disruption and binds our sub-processors to data processing best practices. We have already implemented a new Data Processing Agreement that satisfies the GDPR requirements. Cvent welcomes the new, robust requirements for data protection, security, and compliance that the EU-US Privacy Shield framework and EU GDPR brings. We have closely analyzed the requirements of the Privacy Shield and GDPR and are working with recognized global data privacy experts and legal counsel to renew our processes, supplement our products, and update our contracts and documentation, all in an effort to support Cvent and you with the Privacy Shield and GDPR compliance. Utilizing Cvent’s size and scale, we have deployed our nearly 1,000-member tech team, with more than a dozen directly involved in information security, to deliver the Privacy Shield and GDPR compliant infrastructure on time, while continuing to meet our customer’s needs. 

Cvent worked with TRUSTe to review and verify compliance with the EU-US and the Swiss-US Privacy Shield frameworks. Further, Cvent will comply with the GDPR when it becomes enforceable on May 25, 2018. As we pursue compliance with the GDPR, Cvent will advise customers via established relationship and support channels of any significant changes to our products and services that may be relevant to them or impact the customer experience. 

Keywords: [“Cvent”,”data”,”privacy”]
Source: https://www.cvent.com/uk/gdpr/learn-more.shtml

GDPR News Center News for 06-23-2018

Preparing for the General Data Protection Regulation

This checklist sets out 10 preliminary steps that schools can take now to prepare for the EU General Data Protection Regulation which comes into force in the UK on 25 May 2018. When the GDPR comes into force, it will entirely replace our current Data Protection Act 1998 and radically overhaul many of our existing data protection rules. One of the main features of the GDPR is that compliance alone is not enough; data controllers will also have to demonstrate their compliance and prove that they are taking data protection seriously by implementing a range of accountability measures. Unless you know what personal data you hold and how it is being processed, it will be difficult to comply with the GDPR’s accountability principles which require you to be able to demonstrate how the school complies with the data protection principles in practice. Due to the significant new burdens imposed on data controllers by GDPR, we recommend that all schools now formally appoint a DPO. 

Most schools have in fact already done this, because of the demands of the existing Data Protection Act. Schools will continue to be subject to an obligation to take organisational steps to keep personal data secure and the deployment of staff data protection training will continue to be expected. New starters should receive data protection training before they have access to personal data and existing staff should receive regular and refresher training. Carry out a data protection audit so you have a map of your personal data flows already in place when GDPR goes live. The Purpose of processing their data and the legal basis for the processing of that data. 

Under GDPR, consent of a data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed. As under current data protection law, the GDPR will continue to allow individuals to ask the school to give them a copy of their personal data together with other information about how it’s being processed by the school. Under current data protection law, transfers of personal data outside the European Economic Area are restricted and this will continue to be the case under GDPR. In general terms, the rules on data transfers under GDPR are very similar to those under the DPA with some improvements. 

Keywords: [“Data”,”school”,”GDPR”]
Source: https://www.hcrlaw.com/preparing-general-data-protection…

As these definitions are used to determine the scope of the proposed Regulation, any data that are not personal data are outside the scope of the proposed Regulation. Common misconceptions: – Just because data are not linked to a name does not mean that they are not personal data. Even removing further items from sets of data does not necessarily render such data anonymous. The data retention example would be covered under processing that is necessary for compliance with a legal obligation to which the controller is subject(c. 3 These embodied a stronger spirit than the Commission proposal, by recommending that personal data should only possibly be processed for incompatible purposes with consent of the data subject or where prescribed by law. While in some Member States it was traditionally seen as a privileged ground for lawfulness, it is only one among several in the currently applicable Data Protection Directive 95/46/EC. – Consent is one way for data subjects to control how data about them are processed. 

While the two rights are related, the right to data portability adds two new elements: data are to be provided in a structured electronic format allowing for further use, and it thereby protects users against lock-in effects. The second aspect only refers to data provided by the data subject, so it is clear that it applies to the raw material, such as bank account movements, but for example not to the bank’s internal risk rating of your account. There are concerns about controllers’ situation when they are legally obliged to store certain data if users want to take their data to another service. Article 17(1) deals with situations such as bringing a company to delete your customer data after the business relationship has ended. In both cases, it should be noted that these rights are not absolute; there are exceptions related to freedom of expression(a) in connection with Article 80). 

These exceptions allow Member States to restrict data protection rights in order to reconcile the fundamental rights to data protection and freedom of expression – There also seem to be misunderstandings about when data subjects are entitled to erasure of their data. Several exceptions are foreseen, including for cases where data are stored based on a legal obligation, public interest reasons in the area of public health, research, and where data have to be maintained for proof. 

Keywords: [“data”,”controller”,”subject”]
Source: https://edri.org/files/GDPR-key-issues-explained.pdf

Where to start?

If only it were that easy! Financial Services institutions have been embarking upon Customer Centricity and Digital Transformation program and discovering that just understanding where all ‘relevant’ Customer data is stored isn’t that straightforward. Typically, Customer data is stored in multiple siloed systems, in different formats, with differing levels of quality using different definitions and data conventions. One of the challenges with this approach is that the program is looking for data that is ‘relevant’ to Customer Centricity i.e. data that helps build a more complete picture of the Customer’s journey to help drive better service delivery and create up-sell /cross-sell opportunities. 

The sizeable potential impact of not being compliant means there is a real need to focus on understanding where relevant Customer data is held, right from the start. In a GDPR environment, this would typically include specific data attributes that either donate a location of relevant Customer data or areas where there may be potential data conflict. Once the policy has been defined, any solution needs to provide the automated discovery of relevant Customer data across any number of databases, sources, big data and cloud data stores. The automation of the first pass of data discovery is used to find the locations of relevant Customer data. Some data attributes will fit easily into the policy, some data attributes will be derived from relevant Customer data so need further examination and some data attributes will require much further examination. 

Classification helps define the priorities of potential data remediation based upon how the data attributes fit into, and confirm to, the policy definition. As mentioned previously, data proliferation is a major challenge around relevant Customer data as it’s often extracted from source systems and copied to other systems for subsequent processing. The reason for this is that once the data leaves the control of any properly governed environment, there becomes a potential risk that any subsequent processing creates yet another source of relevant Customer data, albeit a source that few will probably know about. The score is simply a number although the reason this becomes powerful is that it enables Financial Services institutions to start to prioritise the sequence in which sources of relevant Customer data need addressing. 

Keywords: [“data”,”customer”,”need”]
Source: https://blogs.informatica.com/2016/03/25/gdpr-where-to-start

GDPR News Center News for 06-22-2018

Gearing Up for GDPR Compliance

While some fleet managers may view GDPR as a daunting compliance project, the GDPR is, in many ways, a legislative continuation of existing data privacy principles. The GDPR could be viewed as an opportunity to demonstrate to customers, regulators, suppliers, and the public that responsible data governance is a core feature of the organization. The purpose of the GDPR is to provide a comprehensive regulatory framework for the protection of personal data of EU citizens. EU citizens whose personal data is collected and processed have important rights under GDPR that organizations must take into consideration. Thoroughly understanding your organization’s business operations from a data-centric perspective will help your organization to identify data inflows and outflows, catalogue third party processors of data, identify redundancies and efficiencies that can be realized, and assist organizations in properly formulating their overall compliance efforts. 

Fleet managers must consider the data they collect and process, who they collect it from, how they process the data, where it is processed or transferred, and who, if anyone, they use to process the data. Obtaining the proper consent(s) and establishing the legitimacy of the data collection and processing are critical components of GDPR compliance. As part of obtaining driver consent to data collection, fleet managers can thoroughly explain what data is captured, how the data is captured, how it is used, the benefits to the organization and the benefits to the driver. The Geotab solution can provide reassurance that fleet management data will be protected through Geotab’s robust data security measures. As a data processor for our customers, Geotab is aware of the importance of providing fleet managers with a reliable and secure fleet management solution that provides end to end data security. 

Geotab has undertaken data processing impact assessments and has made publicly available the technological and organizational measures it employs to protect its customers’ data. More specifically, fleet managers can use Geotab’s solution to demonstrate to their drivers, customers, suppliers, and regulators that they appreciate the significance of responsible data governance while reassuring all stakeholders that the data is legitimately and transparently used for innovation in connected vehicles, enhancing the efficiency of fleet operations, strengthening environmental responsibility, and, most importantly, elevating driver and public safety. 

Keywords: [“data”,”fleet”,”GDPR”]
Source: https://www.geotab.com/blog/gdpr-compliance

GDPR Assessment & Consulting Services

Background on the GDPR. The European Union’s General Data Protection Regulation is one of the biggest transformations to global data privacy law within the past 20 years. Businesses and organizations will prepare for the requirements which will soon be imposed through the enactment of the General Data Protection Regulation before 25 May 2018. Companies and public governments will need to comply with GDPR if you process personal data in the context of selling products or services to citizens in EU countries as well the UK. If your company operates outside the EU but offers products and services or even monitors the behavior of EU data subjects you will need to comply with GDPR. 

GDPR requires that organisations continuously protect EU data subjects and their privacy using a holistic combination of people, processes, and technology. A comprehensive governance strategy and the right security technologies are ideal for maintaining GDPR compliance. CIPHER Security provides an array of GDPR assessment and consulting services to help customers gain a holistic view of their state of compliance towards the Data Protection Act 1998 and assess their readiness towards the GDPR. Awareness Workshop: CIPHER provides consultative awareness workshops designed to give you a better understanding of data privacy and how GDPR will impact your organisation. Data Discovery: CIPHER provides a consultant led data discovery exercise across your organisation to produce an extensive and up to date register of your organisation’s data processing activities. 

CIPHER’s data discovery service provides overall visualisation of the organisational data lifecycle in its entirety. Health Check: CIPHER is committed to helping organizations better prepare for compliance with the upcoming EU General Data Protection Regulation, and any future updates to the regulation as released. We will assess your data privacy risks and measure your privacy controls against the GDPR. Privacy Impact Assessment: CIPHER provides experienced consultants to assist in establishing the appropriate policies, procedures and systems to enable ‘privacy by design’. Managed GDPR Services: CIPHER offers 24x7x365 breach monitoring, detection, and alerting through its highly accredited global Security Operations Centers. 

CIPHER, a global security consultancy and MSSP, arms you with customized governance strategies and cutting-edge security technologies to speed up your GDPR readiness. 

Keywords: [“Data”,”GDPR”,”CIPHER”]
Source: https://cipher.com/gdpr-assessment-consulting

Another reason for SaaS to reconsider on-premise

The EU General Data Protection Regulation replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. With the upcoming enforcement date of the GDPR, SaaS providers that collect data on EU residents need to have much stronger controls around the collection, tracking, sharing and protection of that user data. Often, single-tenant private SaaS means running an application on someone else’s public cloud account, i.e., the data stays in the customer’s account. The additional regulatory burden of multi-tenant data management and the lower barriers to entry for going on-premise means it now may be worth it for SaaS vendors to create a more highly valued and differentiated offering by developing the ability to deliver a managed service into customer cloud accounts. While many SaaS providers cite these various technical and organizational pitfalls as reasons for not going on-prem, the other elephant in the room is that they want their users’ data collected and stored in an easy-to-process manner. 

GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Data subjects may ask companies to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The right for data subjects to obtain from companies confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The premise is a fictional letter to a Data Protection Officer could expect to receive and have to comply with under the GDPR. It highlights the full extent of the GDPR right to access requirements and leaves the additional costs one would have to incur in order to comply with the letter up to the imagination of the reader. 

a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained. Fortunes have been created by making it dead simple to share user data with other SaaS services. 

Keywords: [“Data”,”personal”,”provide”]
Source: https://gravitational.com/blog/gdpr-impact-on-saas-vendors

GDPR News Center News for 06-21-2018

General Data Protection Regulation

Whenever a data subject is about to submit their personal information the data controller has to make sure the data subject has given their consent. Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. That allows data subjects to demand a copy of their data in a common format. Data subjects always had a right to request access to their data. On the security side, the GDPR will require many businesses to have a Data Privacy Officer to help oversee their compliance efforts. 

Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale. Since the GDPR is all about transparency and fairness, Controllers and Processors will need to review their Privacy Notices, Privacy Statements and any internal data policies to ensure they meet the requirements under the GDPR. If a Controller engages third party vendors to process the personal data under their control, they will need to ensure their contracts with those Processors are updated to include the new, mandatory Processor provisions set out in Article 28 of the Regulation. The GDPR contains a new requirement that controllers must notify their country’s supervisory authority of a personal data breach within 72 hours of learning of it, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. 

Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. While the current legislation, the 1995 EU Data Protection Directive, governs entities within the EU, the territorial scope of the GDPR is far wider, in that it will also apply to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you. The importance of the GDPR’s new provisions is underscored by the new penalties it imposes for violations. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue. 

Keywords: [“data”,”GDPR”,”new”]
Source: https://www.hubspot.com/data-privacy/gdpr

GDPR Compliance in A/B Testing Software

Convert already raised awareness and made sure that key decision makers are aware that the law is changing and identified areas that could cause compliance problems under the GDPR. COMPLETED. Convert employees who handle personal data of other employees or customers will receive training in order to ensure that they handle changes in accordance with GDPR. Convert should keep a record of training and provide update and refresher training on an annual basis. Convert works together with lawyers to craft policies and terms based on your needs and data processing. 

IN PROGRESS.Article 9 Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information, sexual orientation. In the future, in case it is needed, Convert will only keep special category data for as long as it needs it, once it is no longer needed will securely remove it from its systems in an auditable way. COMPLETED.Article 11 Processing which does not require identification: A controller that cannot identify the data subject is absolved from having to respond in detail to a data subject’s requests - except to tell the data subject that it cannot comply due to lack of identification. Convert will examine every data subject’s request with respect. In cases where Convert can prove that the data subject cannot be identified, data subject’s rights will be limited. 

COMPLETED.Articles 12-14 Privacy Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month. Convert will enable employees and customers to request their personal data processed by Convert. Convert will ensure that there are procedures in place to detect, investigate and report on personal data breaches within 72 hours of becoming aware of it. Not strictly necessary as the type of processing Convert does is unlikely to result in a high risk, but Convert will put a simple PIA in place anyway COMPLETED.Articles 37-39 Appointment of DPOs: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance. Convert won’t need to appoint a DPO, but a trained team will be responsible for data protection matters as part of their role. 

Keywords: [“data”,”Convert”,”process”]
Source: https://www.convert.com/gdpr