GDPR News Center News for 10-06-2018

GDPR compliance deadline is approaching: 10 things to do right away

Under the GDPR and other data protection and privacy laws, personal data should be treated as the most precious asset owned by the enterprise. Businesses should hold training sessions to explain the details of GDPR compliance to make sure every employee is aware of their role in protecting data throughout the organization. A typical GDPR policy will establish procedures and protocols limiting access to personal data, set consent standards, and provide for practical procedures regarding the data subject’s right to access and, if requested, delete their personal data. Besides creating a foundation for GDPR specifically, enterprises should also develop and implement a full set of policies regarding data security. Policies dealing with intrusion detection, data classification, privacy protection, password management, auditing and logging, and encryption, just to name a few, should all be developed in support of an overall GDPR compliance policy. 

One of the major provisions of the GDPR is the concept of acquiring clear consent to use personal data from the data subjects themselves. While the GDPR requires policies and procedures that establish enterprise-wide data security, there are also specific provisions of the regulation that require organizations to provide data subjects with access to their data. If your enterprise does not currently provide these mechanisms for all data subjects, it is not in compliance with the GDPR and is subject to fines and penalties. To establish compliance with the GDPR, enterprises should implement procedures that require these steps and retrain personnel to include data protection in all development processes. SEE: Hiring kit: GDPR data protection compliance officer. 

The GDPR requires enterprises to perform Data Protection Impact Assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of personal data. The documentation of this auditing procedure could reveal areas of data privacy and protection vulnerability and advance the enterprise toward the goal of GDPR compliance. 

Keywords: [“data”,”GDPR”,”enterprise”]
Source: https://www.techrepublic.com/article/gdpr-compliance-deadline-is-approaching-10-things-to-do-right-away/

Our GDPR Commitment

With massively destructive data breaches hitting companies and even governments on a seemingly regular basis, sophisticated uses of personal data, and our on-demand data-driven way of life – the ability to process data and keep it private is critical. To ensure SurveyGizmo is responsibly processing data, our customers will have 24/7/365 access to a standard Data Processing Addendum as it becomes available. Company-wide GDPR training will take place before the May 25 deadline, ensuring all Gizmos are familiar with the regulation and our ongoing commitment to protecting data. Our data center in Germany signifies our invested partnership with our European-based clients, and allows us to keep EU data within the EU, eliminating many risks associated with transcontinental data transfers. With some of the strictest data privacy laws in all of the EU, Germany was quickly decided to be the home of our EU Data Center. 

Customers can exercise all or any of their individual rights under GDPR. As a SurveyGizmo customer, you can request any or all of their GDPR individual rights on your data through multiple systems and processes – via phone, email, or through our main website. Individuals have the right to access their personal data and supplementary information. Individuals have the right to object to: Data processing based on legitimate interested or the performance of a task in the public interest/exercise of official authority; Direct marketing;and Data processing for purpose of scientific/historical research and statistics. A data controller is a person who determine the purposes for which and the manner in which any personal data are, or are to be processed. 

In relation to personal data, a data processor is any person who processes the data on behalf of the data controller. A subprocessor can process personal data on behalf of the data exporter and is often a third-party. Disclosure of the information or data by transmission, dissemination or otherwise making available, or Alignment, combination, blocking, erasure or destruction of the information or data. 

Keywords: [“data”,”individual”,”SurveyGizmo”]
Source: https://www.surveygizmo.com/resources/blog/gdpr-commitment

Our GDPR Commitment

With massively destructive data breaches hitting companies and even governments on a seemingly regular basis, sophisticated uses of personal data, and our on-demand data-driven way of life – the ability to process data and keep it private is critical. To ensure SurveyGizmo is responsibly processing data, our customers will have 24/7/365 access to a standard Data Processing Addendum as it becomes available. Company-wide GDPR training will take place before the May 25 deadline, ensuring all Gizmos are familiar with the regulation and our ongoing commitment to protecting data. Our data center in Germany signifies our invested partnership with our European-based clients, and allows us to keep EU data within the EU, eliminating many risks associated with transcontinental data transfers. With some of the strictest data privacy laws in all of the EU, Germany was quickly decided to be the home of our EU Data Center. 

Customers can exercise all or any of their individual rights under GDPR. As a SurveyGizmo customer, you can request any or all of their GDPR individual rights on your data through multiple systems and processes – via phone, email, or through our main website. Individuals have the right to access their personal data and supplementary information. Individuals have the right to object to: Data processing based on legitimate interested or the performance of a task in the public interest/exercise of official authority; Direct marketing;and Data processing for purpose of scientific/historical research and statistics. A data controller is a person who determine the purposes for which and the manner in which any personal data are, or are to be processed. 

In relation to personal data, a data processor is any person who processes the data on behalf of the data controller. A subprocessor can process personal data on behalf of the data exporter and is often a third-party. Disclosure of the information or data by transmission, dissemination or otherwise making available, or Alignment, combination, blocking, erasure or destruction of the information or data. 

Keywords: [“data”,”individual”,”SurveyGizmo”]
Source: https://www.surveygizmo.com/resources/blog/gdpr-commitment

GDPR News Center News for 10-05-2018

Our Outreach GDPR Compliance

Outreach believes that as a SaaS company security and privacy is a shared responsibility with our customers. Requirements such as greater data access and erasure rules, privacy by design, and data breach notification processes may mean changes for your organization, and are a shared responsibility between yourself and your partners. It is important to understand your obligations related to the GDPR regardless of where your organization resides, and Outreach will work with you to achieve them. By nature of Outreach’s integration architecture, you determine what data is sent over for processing. Accordingly, your company acts as the controller and must abide to a set of core principles regarding the handling of the personal data. 

Per the GDPR principles, you should avoid sharing unnecessary personal data with Outreach. Typically, the only class of personal data you should share with Outreach is contact information and you should not share other classes of data that are not relevant to managing your sales pipeline. It is your responsibility to ensure certain data types are not sent to Outreach for processing. Recommendation: Review the user information shared with Outreach and ensure you are not sharing any unneeded or sensitive personal data. GDPR states that data controllers must provide users with specific information on how their personal data is being collected, used, stored and shared. 

If your legal counsel determines you also need to obtain user consent before using Outreach, make sure you update your integration with Outreach to only send data from those who provided the required consent or have otherwise consented to it. Outreach continues to monitor the continuing guidance issued by the Article 29 Working Party to ensure that we remain abreast with the most recent developments pertaining to GDPR. Even when the regulation comes into full effect, Outreach is prepared for the fact that privacy compliance in the EU will be an evolving area and that compliance with GDPR is not a one-stop check box or finish line – it will require continuous adjustments and actions to ensure that we, and our customers, remain compliant. 

Keywords: [“data”,”Outreach”,”share”]
Source: https://www.outreach.io/trust/gdpr-compliance

General Data Protection Regulation

The GDPR applies to the processing of data subjects’ personal data by any size of EU or non-EU organizations that provides goods or services to the EU or monitors the behavior of EU users. All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a Data Protection Officer. More detailed information about privacy by design can be found in Article 25 of the GDPR. Data Breach Procedures – Ensure that you have procedures in place to detect, report, and investigate any data breaches. Third-Party Providers – Keep your list of all the third-party solutions you currently use that have access to or process data subjects’ personal data up-to-date. 

Processing: The GDPR imposes direct legal obligations on data processors meant to ensure that processors protect personal data appropriately, assisting with data subject requests, and providing notice and a right to object to the use of sub-processors. SendGrid believes the GDPR is a significant step forward in data privacy and supports the GDPR’s emphasis on strong data privacy protections and security principles. Making available a GDPR-compliant Customer Data Processing Agreement for SendGrid’s processing of personal data under the GDPR on behalf of its customers. If your use of SendGrid requires SendGrid to process personal data within the scope of the GDPR, SendGrid’s Data Processing Addendum is available for e-signature here. Vendor agreements review: To ensure that our customers’ personal data is protected all the way down the sub-processing chain, we modified our vendor agreements to put GDPR-compliant terms in place with vendors and service providers who process personal data on our behalf. 

Many companies that are data processors of some personal data are also data controllers of other personal data. Your obligations under the GDPR depend on whether you are acting as a data controller or a data processor in connection with the each category of personal data. Personal data can also be processed: When necessary for the performance of a contract to which the data subject is a party;. 

Keywords: [“data”,”personal”,”GDPR”]
Source: https://sendgrid.com/resource/general-data-protection-regulation/

GDPR compliance deadline is approaching: 10 things to do right away

Under the GDPR and other data protection and privacy laws, personal data should be treated as the most precious asset owned by the enterprise. Businesses should hold training sessions to explain the details of GDPR compliance to make sure every employee is aware of their role in protecting data throughout the organization. A typical GDPR policy will establish procedures and protocols limiting access to personal data, set consent standards, and provide for practical procedures regarding the data subject’s right to access and, if requested, delete their personal data. Besides creating a foundation for GDPR specifically, enterprises should also develop and implement a full set of policies regarding data security. Policies dealing with intrusion detection, data classification, privacy protection, password management, auditing and logging, and encryption, just to name a few, should all be developed in support of an overall GDPR compliance policy. 

One of the major provisions of the GDPR is the concept of acquiring clear consent to use personal data from the data subjects themselves. While the GDPR requires policies and procedures that establish enterprise-wide data security, there are also specific provisions of the regulation that require organizations to provide data subjects with access to their data. If your enterprise does not currently provide these mechanisms for all data subjects, it is not in compliance with the GDPR and is subject to fines and penalties. To establish compliance with the GDPR, enterprises should implement procedures that require these steps and retrain personnel to include data protection in all development processes. SEE: Hiring kit: GDPR data protection compliance officer. 

The GDPR requires enterprises to perform Data Protection Impact Assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of personal data. The documentation of this auditing procedure could reveal areas of data privacy and protection vulnerability and advance the enterprise toward the goal of GDPR compliance. 

Keywords: [“data”,”GDPR”,”enterprise”]
Source: https://www.techrepublic.com/article/gdpr-compliance-deadline-is-approaching-10-things-to-do-right-away/

GDPR News Center News for 10-04-2018

GDPR Commitment

The General Data Protection Act is considered to be the most significant piece of European data protection legislation to be introduced in the European Union in 20 years and will replace the the 1995 Data Protection Directive. The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data. 

In summary, here are some of the key changes to come into effect with the upcoming GDPR:. Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard. Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors. Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations. 

New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals. Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues. 

Keywords: [“Data”,”GDPR”,”organizations”]
Source: https://www.hotjar.com/legal/compliance/gdpr-commitment

GDPR Commitment

The General Data Protection Act is considered to be the most significant piece of European data protection legislation to be introduced in the European Union in 20 years and will replace the the 1995 Data Protection Directive. The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data. 

In summary, here are some of the key changes to come into effect with the upcoming GDPR:. Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard. Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors. Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations. 

New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals. Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues. 

Keywords: [“Data”,”GDPR”,”organizations”]
Source: https://www.hotjar.com/legal/compliance/gdpr-commitment

Our Outreach GDPR Compliance

Outreach believes that as a SaaS company security and privacy is a shared responsibility with our customers. Requirements such as greater data access and erasure rules, privacy by design, and data breach notification processes may mean changes for your organization, and are a shared responsibility between yourself and your partners. It is important to understand your obligations related to the GDPR regardless of where your organization resides, and Outreach will work with you to achieve them. By nature of Outreach’s integration architecture, you determine what data is sent over for processing. Accordingly, your company acts as the controller and must abide to a set of core principles regarding the handling of the personal data. 

Per the GDPR principles, you should avoid sharing unnecessary personal data with Outreach. Typically, the only class of personal data you should share with Outreach is contact information and you should not share other classes of data that are not relevant to managing your sales pipeline. It is your responsibility to ensure certain data types are not sent to Outreach for processing. Recommendation: Review the user information shared with Outreach and ensure you are not sharing any unneeded or sensitive personal data. GDPR states that data controllers must provide users with specific information on how their personal data is being collected, used, stored and shared. 

If your legal counsel determines you also need to obtain user consent before using Outreach, make sure you update your integration with Outreach to only send data from those who provided the required consent or have otherwise consented to it. Outreach continues to monitor the continuing guidance issued by the Article 29 Working Party to ensure that we remain abreast with the most recent developments pertaining to GDPR. Even when the regulation comes into full effect, Outreach is prepared for the fact that privacy compliance in the EU will be an evolving area and that compliance with GDPR is not a one-stop check box or finish line – it will require continuous adjustments and actions to ensure that we, and our customers, remain compliant. 

Keywords: [“data”,”Outreach”,”share”]
Source: https://www.outreach.io/trust/gdpr-compliance

GDPR News Center News for 10-03-2018

The European Union’s upcoming law on personal data processing, the General Data Protection Regulation, goes into effect on May 25th 2018. The GDPR encourages businesses to be more aware of the data they collect and what they do with it, and gives individuals much more control over what happens to their data. Personal data is any piece of data which can reasonably be traced back to a specific individual, including the obvious such as name, address, photo, phone number, and email address, but also the less obvious such as IP address, browser user agent, user ID, and so on. Since personal data processing is a core activity for many SaaS businesses, you need to appoint a Data Protection Officer tasked with making sure all personal data is handled properly, and register the DPO with the local data protection authorities. The GDPR distinguishes between data controllers and data processors. 

As a SaaS, you will most likely be both: you are a controller for data which you collect yourself, and a processor for data which your customers store in your SaaS product. The tricky bit here is that if you use client-side JavaScript to submit the data, the user’s IP address is sent to Google as part of the network request, and while Google claims it does not store this it can still be considered a transfer of personal data. We therefore suggest you collect the data on the server side, set the last octet of the IP address to 0 to anonymize it somewhat but still have rough location data, and submit it yourself. As for single sign-on, i.e. allowing users to log in using their Google or GitHub accounts, this is regulated by the terms between the user and third-party provider, and as long as you handle the data you receive from these services in a similar fashion as the rest of your user data you shouldn’t have to give it much thought. 

Many databases will simply mark a row as deleted or outdated, but not actually remove it from disk until it is overwritten by other data. Most of the issues we have discussed so far have applied to data for which you are the controller. We can’t hope to cover all aspects of running a GDPR-compliant SaaS business here – in particular, we haven’t discussed security practices, processes for exporting and deleting data on user request, or handling of your employee data. 

Keywords: [“data”,”personal”,”collect”]
Source: https://www.sanity.io/blog/a-rough-guide-to-running-a-gdpr-compliant-saas-business

The European Union’s upcoming law on personal data processing, the General Data Protection Regulation, goes into effect on May 25th 2018. The GDPR encourages businesses to be more aware of the data they collect and what they do with it, and gives individuals much more control over what happens to their data. Personal data is any piece of data which can reasonably be traced back to a specific individual, including the obvious such as name, address, photo, phone number, and email address, but also the less obvious such as IP address, browser user agent, user ID, and so on. Since personal data processing is a core activity for many SaaS businesses, you need to appoint a Data Protection Officer tasked with making sure all personal data is handled properly, and register the DPO with the local data protection authorities. The GDPR distinguishes between data controllers and data processors. 

As a SaaS, you will most likely be both: you are a controller for data which you collect yourself, and a processor for data which your customers store in your SaaS product. The tricky bit here is that if you use client-side JavaScript to submit the data, the user’s IP address is sent to Google as part of the network request, and while Google claims it does not store this it can still be considered a transfer of personal data. We therefore suggest you collect the data on the server side, set the last octet of the IP address to 0 to anonymize it somewhat but still have rough location data, and submit it yourself. As for single sign-on, i.e. allowing users to log in using their Google or GitHub accounts, this is regulated by the terms between the user and third-party provider, and as long as you handle the data you receive from these services in a similar fashion as the rest of your user data you shouldn’t have to give it much thought. 

Many databases will simply mark a row as deleted or outdated, but not actually remove it from disk until it is overwritten by other data. Most of the issues we have discussed so far have applied to data for which you are the controller. We can’t hope to cover all aspects of running a GDPR-compliant SaaS business here – in particular, we haven’t discussed security practices, processes for exporting and deleting data on user request, or handling of your employee data. 

Keywords: [“data”,”personal”,”collect”]
Source: https://www.sanity.io/blog/a-rough-guide-to-running-a-gdpr-compliant-saas-business

GDPR News Center News for 10-02-2018

5 last-minute GDPR resources to help bring businesses into compliance

This Friday is the deadline for compliance with the European Union’s new General Data Protection Regulation, widely considered the strictest law in the world in terms of regulating the collection and use of consumer data. In broad strokes, GDPR generally requires companies get clear consent for collecting people’s personal data and allows people to access the data stored about them, fix it if it’s wrong, and delete it if they so choose. Even if your business isn’t based in the EU, it may still be required to comply with GDPR if it collects data on people in the EU, and the fines for not complying can be severe: up to 20 million euros or 4% of annual revenue in the most egregious cases. If you’re still scratching your head about what you need to do to get ready for the new law, here are a few resources that can help. Parker, an automated chatbot from international law firm Norton Rose Fulbright, can help if you’re still figuring out whether your business outside the EU even needs to comply with GDPR. 

Essentially a checklist in chat form, the tool can help you decide in a few minutes how concerned you need to be about the new regulation. This GDPR compliance checklist, developed by a group of startup founders from Belgium, can help you take the same rigorous approach to making sure you’re ready for the new law. While this guide is aimed at designers, it’s useful to anyone who’s involved in crafting websites, apps, or services that are going to potentially handle people’s personal data. Designers, developers, and managers all need to be thinking about what data they actually need to collect, and where they can store and process it. They also need to make sure users clearly agree to what’s going on and have the legally required resources to access, update, and delete their data if need be. 

If you want to let your customers see the data you have on them-and update or delete it if they wish-but you also store data across multiple cloud vendors, you might have some work to do. One solution is to use a core tool that syncs that data to as many of those third-party cloud services as possible to simplify things when those user requests come in or you’re preparing your compliance documentation. Segment, which has long helped companies connect with third-party data services, has rolled out tools to help its customers track those requests, data updates, and user consent changes to forward them on to supported vendors. 

Keywords: [“Data”,”need”,”new”]
Source: https://www.fastcompany.com/40575829/5-last-minute-gdpr-resources-to-help-bring-businesses-into-compliance

How to Comply with GDPR

The GDPR is designed to protect the personal data of EU citizens, and to do so it regulates how such data is collected, stored, processed, and destroyed. Perhaps most importantly, the territorial scope of the law is very broad. Article 3 of the GDPR states that a company anywhere in the world is subject to the GDPR if it processes the personal data of anyone residing in the EU. It doesn’t matter if your company has no offices or employees in the EU, or even if no transactions are carried out in the EU. If you process an EU citizen’s personal data, then you need to comply with the GDPR or face the financial consequences. 

While GDPR compliance is important, it is vital not to forget about the other compliance and data privacy regulations that may apply to your organization. This includes a GDPR checklist for data controllers and a GDPR checklist for data processors. Consider how to verify individuals’ ages and how you can obtain parental or guardian consent for any data processing activity. Designate someone to take responsibility for data protection compliance and consider whether you are required to formally designate a Data Protection Officer. The GDPR makes a distinction between a data processor and a data controller. 

For more on Data Protection Impact Assessments, see How a Data Protection Impact Assessment Helps You Comply with GDPR.Right to access, rectification and erasure. How to protect customer information under GDPR. The GDPR is designed to protect Data Subjects, but it goes to great lengths to avoid spelling out in technical terms what you need to do to ensure that you achieve suitable levels of data security. It’s a common myth that the GDPR requires the use of data encryption, and some consultants appear to be pushing sales of encryption products by implying that all you need to do is encrypt all your data and you will satisfy 90% of GDPR requirements. Any encryption initiative will likely involve an encryption product that handles data encryption as well as manages encryption keys, and may also include a cloud encryption gateway to ensure that data that is sent to the cloud for storage or processing is also encrypted. 

Detecting breaches is far from trivial – it takes an average of 191 days for data breaches to be detected, according to the Ponemon Institute’s 2017 Cost of A Data Breach Study. 

Keywords: [“Data”,”GDPR”,”company”]
Source: https://www.esecurityplanet.com/network-security/how-to-comply-with-gdpr.html

GDPR News Center News for 10-01-2018

What is GDPR? Understanding and Complying with GDPR Data Protection Requirements

A Definition of GDPR. The General Data Protection Regulation, agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data. The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. 

In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally. Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily, and they may direct a controller to erase their personal data under certain circumstances. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. 

Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed. Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects. Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies. For many of these companies, the first step in complying with GDPR is to designate a data protection officer to build a data protection program that meets the GDPR requirements. 

Keywords: [“Data”,”GDPR”,”company”]
Source: https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection

What is GDPR? Understanding and Complying with GDPR Data Protection Requirements

A Definition of GDPR. The General Data Protection Regulation, agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data. The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. 

In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally. Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily, and they may direct a controller to erase their personal data under certain circumstances. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. 

Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed. Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects. Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies. For many of these companies, the first step in complying with GDPR is to designate a data protection officer to build a data protection program that meets the GDPR requirements. 

Keywords: [“Data”,”GDPR”,”company”]
Source: https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection

5 last-minute GDPR resources to help bring businesses into compliance

This Friday is the deadline for compliance with the European Union’s new General Data Protection Regulation, widely considered the strictest law in the world in terms of regulating the collection and use of consumer data. In broad strokes, GDPR generally requires companies get clear consent for collecting people’s personal data and allows people to access the data stored about them, fix it if it’s wrong, and delete it if they so choose. Even if your business isn’t based in the EU, it may still be required to comply with GDPR if it collects data on people in the EU, and the fines for not complying can be severe: up to 20 million euros or 4% of annual revenue in the most egregious cases. If you’re still scratching your head about what you need to do to get ready for the new law, here are a few resources that can help. Parker, an automated chatbot from international law firm Norton Rose Fulbright, can help if you’re still figuring out whether your business outside the EU even needs to comply with GDPR. 

Essentially a checklist in chat form, the tool can help you decide in a few minutes how concerned you need to be about the new regulation. This GDPR compliance checklist, developed by a group of startup founders from Belgium, can help you take the same rigorous approach to making sure you’re ready for the new law. While this guide is aimed at designers, it’s useful to anyone who’s involved in crafting websites, apps, or services that are going to potentially handle people’s personal data. Designers, developers, and managers all need to be thinking about what data they actually need to collect, and where they can store and process it. They also need to make sure users clearly agree to what’s going on and have the legally required resources to access, update, and delete their data if need be. 

If you want to let your customers see the data you have on them-and update or delete it if they wish-but you also store data across multiple cloud vendors, you might have some work to do. One solution is to use a core tool that syncs that data to as many of those third-party cloud services as possible to simplify things when those user requests come in or you’re preparing your compliance documentation. Segment, which has long helped companies connect with third-party data services, has rolled out tools to help its customers track those requests, data updates, and user consent changes to forward them on to supported vendors. 

Keywords: [“Data”,”need”,”new”]
Source: https://www.fastcompany.com/40575829/5-last-minute-gdpr-resources-to-help-bring-businesses-into-compliance

GDPR News Center News for 09-30-2018

General Data Protection Regulation

Whenever a data subject is about to submit their personal information the data controller has to make sure the data subject has given their consent. Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. That allows data subjects to demand a copy of their data in a common format. Data subjects always had a right to request access to their data. On the security side, the GDPR will require many businesses to have a Data Privacy Officer to help oversee their compliance efforts. 

Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale. Since the GDPR is all about transparency and fairness, Controllers and Processors will need to review their Privacy Notices, Privacy Statements and any internal data policies to ensure they meet the requirements under the GDPR. If a Controller engages third party vendors to process the personal data under their control, they will need to ensure their contracts with those Processors are updated to include the new, mandatory Processor provisions set out in Article 28 of the Regulation. The GDPR contains a new requirement that controllers must notify their country’s supervisory authority of a personal data breach within 72 hours of learning of it, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. 

Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. While the current legislation, the 1995 EU Data Protection Directive, governs entities within the EU, the territorial scope of the GDPR is far wider, in that it will also apply to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you. The importance of the GDPR’s new provisions is underscored by the new penalties it imposes for violations. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue. 

Keywords: [“data”,”GDPR”,”new”]
Source: https://www.hubspot.com/data-privacy/gdpr

General Data Protection Regulation

Whenever a data subject is about to submit their personal information the data controller has to make sure the data subject has given their consent. Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. That allows data subjects to demand a copy of their data in a common format. Data subjects always had a right to request access to their data. On the security side, the GDPR will require many businesses to have a Data Privacy Officer to help oversee their compliance efforts. 

Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale. Since the GDPR is all about transparency and fairness, Controllers and Processors will need to review their Privacy Notices, Privacy Statements and any internal data policies to ensure they meet the requirements under the GDPR. If a Controller engages third party vendors to process the personal data under their control, they will need to ensure their contracts with those Processors are updated to include the new, mandatory Processor provisions set out in Article 28 of the Regulation. The GDPR contains a new requirement that controllers must notify their country’s supervisory authority of a personal data breach within 72 hours of learning of it, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. 

Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. While the current legislation, the 1995 EU Data Protection Directive, governs entities within the EU, the territorial scope of the GDPR is far wider, in that it will also apply to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you. The importance of the GDPR’s new provisions is underscored by the new penalties it imposes for violations. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue. 

Keywords: [“data”,”GDPR”,”new”]
Source: https://www.hubspot.com/data-privacy/gdpr

GDPR News Center News for 09-29-2018

Olark and the GDPR Legislation

On May 25, 2018, the new General Data Protection Legislation will be coming into force in the European Union. While we are not able to answer legal questions regarding how your own organization achieves compliance, we can and will support your compliance efforts by providing information about the data that Olark collects, transmits and stores for your organization. The GDPR is territorial – meaning the GDPR applies to any organization that processes EU personal data, regardless of where the organization may be located. We have worked hard with our legal and engineering teams to ensure to the extent Olark directly collects EU personal data it is in compliance with the GDPR. We are fully compliant with the EU-US Privacy Shield Framework and the Swiss – U.S. 

Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the European Union and Switzerland to the United States. The data subjects are your customers or end users residing in the EU. You are the data controller because you decide the purposes for which you need to collect personal data from data subjects and the means by which you want to collect it. Olark is a data processor because we process data from your data subjects on your behalf and on your instructions. 

Individual Rights: The GDPR expands data subjects’ rights to their personal data. Except as limited by applicable law, EU data subjects have the right to access the personal data a company is processing on them; to restrict the processing; to correct incomplete or inaccurate personal data; to have their personal data deleted; and to object to their data being used for certain purposes. As a data processor, Olark does not and cannot determine the legal basis for processing visitor personal data on behalf of its customers;. Additional context: One of the changes under the GDPR is the expansion of privacy rights for individuals located in the EU. As a data controller, you will need to be ready and able to comply with applicable individual rights requests, such as deleting a customer’s personal data from your records or providing them with a copy of the data you hold. 

You may continue to use transcript data because you have a legal obligation to retain the data, if processing the data is in your website visitors’ legitimate interest, or if your use of transcript data is directly related to performance of a contract or to steps a customer has requested you take prior to entering into a contract. Finally, you may be able to fulfill your GDPR obligations by refraining from certain uses of transcript data. 

Keywords: [“data”,”GDPR”,”personal”]
Source: https://www.olark.com/help/gdpr

Olark and the GDPR Legislation

On May 25, 2018, the new General Data Protection Legislation will be coming into force in the European Union. While we are not able to answer legal questions regarding how your own organization achieves compliance, we can and will support your compliance efforts by providing information about the data that Olark collects, transmits and stores for your organization. The GDPR is territorial – meaning the GDPR applies to any organization that processes EU personal data, regardless of where the organization may be located. We have worked hard with our legal and engineering teams to ensure to the extent Olark directly collects EU personal data it is in compliance with the GDPR. We are fully compliant with the EU-US Privacy Shield Framework and the Swiss – U.S. 

Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the European Union and Switzerland to the United States. The data subjects are your customers or end users residing in the EU. You are the data controller because you decide the purposes for which you need to collect personal data from data subjects and the means by which you want to collect it. Olark is a data processor because we process data from your data subjects on your behalf and on your instructions. 

Individual Rights: The GDPR expands data subjects’ rights to their personal data. Except as limited by applicable law, EU data subjects have the right to access the personal data a company is processing on them; to restrict the processing; to correct incomplete or inaccurate personal data; to have their personal data deleted; and to object to their data being used for certain purposes. As a data processor, Olark does not and cannot determine the legal basis for processing visitor personal data on behalf of its customers;. Additional context: One of the changes under the GDPR is the expansion of privacy rights for individuals located in the EU. As a data controller, you will need to be ready and able to comply with applicable individual rights requests, such as deleting a customer’s personal data from your records or providing them with a copy of the data you hold. 

You may continue to use transcript data because you have a legal obligation to retain the data, if processing the data is in your website visitors’ legitimate interest, or if your use of transcript data is directly related to performance of a contract or to steps a customer has requested you take prior to entering into a contract. Finally, you may be able to fulfill your GDPR obligations by refraining from certain uses of transcript data. 

Keywords: [“data”,”GDPR”,”personal”]
Source: https://www.olark.com/help/gdpr

GDPR News Center News for 09-28-2018

Most firms will not be GDPR-ready by compliance deadline

With just one month to go until the compliance deadline for the EU’s General Data Protection Regulation, research data shows that many companies will not be ready in time. Start Download. Only 51% of companies polled say they have all the systems in place that will enable them to remove EU citizen data from servers on request, including back-ups, in accordance with Articles 16 and 17 of the GDPR. Worryingly, 21% do not yet have any systems in place to meet these requirements, according to a study published by data security company WinMagic. In many cases, the survey shows that companies lack the systems and processes to ensure compliance with the new legislation, which affects all companies holding and processing EU citizen data. 

Organisations found to be non-compliant could also face a range of other punitive actions from data protection authorities, including compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders. Data management delays: A quarter of respondents admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups. Failing to encrypt data: An average of 20% of the companies surveyed lack continuous encryption for personally identifiable information across their cloud and on-premise servers, despite appropriate levels of encryption and anonymisation being a requirement for GDPR compliance. Where companies lack strict security and encryption management for technologies such as virtual machines and hyper-converged infrastructure, uncontrolled data sprawl can be common, leading to silos of hidden data and a fragmentation of governance, which leaves companies non-compliant and at risk of heavy fines. Poor data breach monitoring: When a data breach occurs, the report said speed is the key element in responding to ongoing attacks, but also to controlling the spread and abuse of data by cyber criminals. 

The GDPR requires companies to report data breaches to the relevant data protection authority within 72 hours of discovery, yet 41% of respondents said they could not achieve this today. Many companies lack the tools that will identify whether a breach has ever occurred or the data taken. Commenting on the fast-approaching GDPR compliance deadline, Tamzin Evershed, senior director and global privacy lead at Veritas Technologies, said that in recent months, companies have been striving to gain complete visibility and control of their data – including what information is stored, who owns it, who has access and how it is used. This approach is in line with that advocated by UK information commissioner Elizabeth Denham, who has repeatedly emphasised that the GDPR is about gaining and maintaining consumer trust, which is essential for the development and innovation of business using data. 

Keywords: [“Data”,”company”,”breach”]
Source: https://www.computerweekly.com/news/252439872/Most-firms-will-not-be-GDPR-ready-by-compliance-deadline

Most firms will not be GDPR-ready by compliance deadline

With just one month to go until the compliance deadline for the EU’s General Data Protection Regulation, research data shows that many companies will not be ready in time. Start Download. Only 51% of companies polled say they have all the systems in place that will enable them to remove EU citizen data from servers on request, including back-ups, in accordance with Articles 16 and 17 of the GDPR. Worryingly, 21% do not yet have any systems in place to meet these requirements, according to a study published by data security company WinMagic. In many cases, the survey shows that companies lack the systems and processes to ensure compliance with the new legislation, which affects all companies holding and processing EU citizen data. 

Organisations found to be non-compliant could also face a range of other punitive actions from data protection authorities, including compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders. Data management delays: A quarter of respondents admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups. Failing to encrypt data: An average of 20% of the companies surveyed lack continuous encryption for personally identifiable information across their cloud and on-premise servers, despite appropriate levels of encryption and anonymisation being a requirement for GDPR compliance. Where companies lack strict security and encryption management for technologies such as virtual machines and hyper-converged infrastructure, uncontrolled data sprawl can be common, leading to silos of hidden data and a fragmentation of governance, which leaves companies non-compliant and at risk of heavy fines. Poor data breach monitoring: When a data breach occurs, the report said speed is the key element in responding to ongoing attacks, but also to controlling the spread and abuse of data by cyber criminals. 

The GDPR requires companies to report data breaches to the relevant data protection authority within 72 hours of discovery, yet 41% of respondents said they could not achieve this today. Many companies lack the tools that will identify whether a breach has ever occurred or the data taken. Commenting on the fast-approaching GDPR compliance deadline, Tamzin Evershed, senior director and global privacy lead at Veritas Technologies, said that in recent months, companies have been striving to gain complete visibility and control of their data – including what information is stored, who owns it, who has access and how it is used. This approach is in line with that advocated by UK information commissioner Elizabeth Denham, who has repeatedly emphasised that the GDPR is about gaining and maintaining consumer trust, which is essential for the development and innovation of business using data. 

Keywords: [“Data”,”company”,”compliance”]
Source: https://www.computerweekly.com/news/252439872/Most-firms-will-not-be-GDPR-ready-by-compliance-deadline

GDPR News Center News for 09-27-2018

On May 25, the General Data Protection Regulation will go into effect in the European Union, but its implications will reach far beyond the borders of the 28 member states of the EU.US businesses need to know the regulation, understand how it can impact their business operations so they can protect against the legal consequences and sizable fines for non-compliance. Now more than ever, US companies must be sure that data security, including the data that is shared in communication channels, is secure and compliant. The fundamental principle of the regulation is the right to privacy and protection of EU citizens by giving them right to anonymity in the data that they share with businesses and enterprises. GDPR’s impact on US businessesAny personal data that is sourced from citizens currently residing in the EU must comply with the GDPR. Therefore, businesses that retain such data and/or behavioral information, even if it doesn’t leave the EU will still be subject to GDPR regulations. 

Once the US retailer gets permission to use their email address, the retailer would have to appoint a representative in the EU to be responsible for following GDPR in their collection and processing of that data in the Cloud. GDPR’s impact on internal US communicationsCustomer data, including that of people who fall under the protection of GDPR, is often shared within companies via channels like email, and increasingly on business messengers like Microsoft Teams, Atlassian’s Stride, Slack, and others. Collaboration is the primary selling point for such solutions and teams often share documents using these platforms which can also be connected to other external platforms like Google Docs.If the documents shared contain personal data, those platforms must also comply with GDPR.Going forward, US companies will need to not only get permission to collect and process customer data, but also get permission to make that personal data available to any tools they use internally for collaboration. The exception to the rule is when the chosen internal communication and collaboration tool secures all data with end-to-end encryption as the service provider does not then get access to any customer data. Right to access: Consumers, or data subjects, have the right to confirm if their personal data is being processed and they can ask the data controller for a copy of the personal data, free of charge. 

Right to be forgotten: Data subjects have the right to have their data erased, and they can ask for their data not to be disseminated and potentially have third parties halt processing of their data. Data portability: Data subjects can have their data sent to them or even transmitted to another data controller. GDPR will be the foundation for well-regulated data sourcing, collection and behavioral information of internet residents throughout the world. 

Keywords: [“Data”,”GDPR”,”Regulation”]
Source: https://qz.com/1284895/what-gdpr-compliance-means-for-american-businesses/

On May 25, the General Data Protection Regulation will go into effect in the European Union, but its implications will reach far beyond the borders of the 28 member states of the EU.US businesses need to know the regulation, understand how it can impact their business operations so they can protect against the legal consequences and sizable fines for non-compliance. Now more than ever, US companies must be sure that data security, including the data that is shared in communication channels, is secure and compliant. The fundamental principle of the regulation is the right to privacy and protection of EU citizens by giving them right to anonymity in the data that they share with businesses and enterprises. GDPR’s impact on US businessesAny personal data that is sourced from citizens currently residing in the EU must comply with the GDPR. Therefore, businesses that retain such data and/or behavioral information, even if it doesn’t leave the EU will still be subject to GDPR regulations. 

Once the US retailer gets permission to use their email address, the retailer would have to appoint a representative in the EU to be responsible for following GDPR in their collection and processing of that data in the Cloud. GDPR’s impact on internal US communicationsCustomer data, including that of people who fall under the protection of GDPR, is often shared within companies via channels like email, and increasingly on business messengers like Microsoft Teams, Atlassian’s Stride, Slack, and others. Collaboration is the primary selling point for such solutions and teams often share documents using these platforms which can also be connected to other external platforms like Google Docs.If the documents shared contain personal data, those platforms must also comply with GDPR.Going forward, US companies will need to not only get permission to collect and process customer data, but also get permission to make that personal data available to any tools they use internally for collaboration. The exception to the rule is when the chosen internal communication and collaboration tool secures all data with end-to-end encryption as the service provider does not then get access to any customer data. Right to access: Consumers, or data subjects, have the right to confirm if their personal data is being processed and they can ask the data controller for a copy of the personal data, free of charge. 

Right to be forgotten: Data subjects have the right to have their data erased, and they can ask for their data not to be disseminated and potentially have third parties halt processing of their data. Data portability: Data subjects can have their data sent to them or even transmitted to another data controller. GDPR will be the foundation for well-regulated data sourcing, collection and behavioral information of internet residents throughout the world. 

Keywords: [“Data”,”GDPR”,”Regulation”]
Source: https://qz.com/1284895/what-gdpr-compliance-means-for-american-businesses/