GDPR News Center News for 10-25-2018

EU GDPR Webinar: The IT Manager’s guide to GDPR – Getting your department up to speed and ready

GDPR Compliance

The regulation increases the level of control EEA citizens and residents have over their personal data in the new digital age and presents a more unified environment for international business across Europe. The Regulation impacts any business that receives, processes, stores or transfers personal data of EEA-based individuals, regardless of its location. Personal data is defined broadly and typically includes information relating to an individual such as name, email, location, online identifier, IP address, home address etc. New rights are given to individual data subjects concerning the personal data being stored, including the right prior notification of what data is being used for, how it will be processed and when it will be deleted. As a result, most businesses dealing the European market have had to review and update their data practices and privacy policies. 

BlueSnap & the GDPR. BlueSnap has been focused on completing its General Data Protection Regulation compliance efforts. To enable BlueSnap merchants to continue accepting orders from individuals based in the European Economic Area from that date onwards, the GDPR compels us to put into effect a Data Protection agreement containing mandatory provisions for all merchants wherever they are based. We therefore issued a Data Protection Addendum effective for BlueSnap and all merchants as from 25th May 2018. Review the new Data Protection Addendum here: https://home. 

In order to cover the aspect of data transfer from the European Economic Area to the US, BlueSnap has been certified on Privacy Shield since Q3 2016. We also added certification under the Swiss-US Privacy Shield scheme in 2017 and are currently finalizing updated data processing agreements with relevant parties involved in the processing, receipt, and storage of personal data. We strongly advise merchants that receive shopper details from EEA-based individuals to take immediate steps to ensure their own data management practices are in compliance with the GDPR, and that other third party services used in addition to BlueSnap, are also compliant. 

Keywords: [“data”,”BlueSnap”,”individual”]

‘Everyone is breaking the law right now’: GDPR compliance efforts are falling short

The arrival of the General Data Protection Regulation a month ago led to a flurry of activity, clogging email inboxes and flooding people with tracking consent notices. Experts say much of that activity was for show because much of it fails to render companies compliant with GDPR. Part of the issue, experts say, is the vague regulation has been interpreted in wildly different ways. GDPR consent-request messages vary wildly across sites. There are default pre-ticked opt-ins, buried options that require users to hunt for them, consent banners with information only available at a further click but no button to reject, and implied consent approaches. 

Others have simply reskinned cookie-banner messages required under the existing ePrivacy directive. A tumultuous few weeks after the law’s arrival on May 25, in which programmatic ad volumes plummeted mostly as a result of Google’s last-minute GDPR policy changes, programmatic spending is returning to pre-GDPR levels. GDPR has been criticized for being vague and open to interpretation, which is what led to such disparate consent-gaining methods. Publishers across Europe are divided between those that have taken softer legitimate interest-based approaches or opt-out methods to claim compliance, while others have gone the harder consent-based route that requires people to opt in. Bloomberg and Forbes appear to be taking strict active consent approaches, while others like the Guardian and MailOnline are running consent banners. 

Several publishers have divided explainers on their cookie use into those used for advertising and tracking, and those used for site analytics – though users aren’t always able to pick one and reject the other; in many cases, it’s all or nothing. Others are simply hoping to stay under the radar until they have figured out how to be compliant in a way that doesn’t damage the business model. Publishers went on a soul-searching mission when ad blocking reached crisis levels in 2017. 

Keywords: [“publishers”,”consent”,”GDPR”]

80 Percent of Companies Still Not GDPR-Compliant

Several weeks after the deadline for General Data Protection Regulation compliance, the vast majority of companies are either still working on it or have yet to begin the process. That’s according to the latest research from TrustArc, which surveyed 600 IT and legal professionals responsible for privacy at companies required to meet GDPR compliance in the United States, the United Kingdom and the European Union – one month following the May 25. Only one in five companies surveyed believe it is GDPR compliant, while 53 percent are in the implementation phase and 27 percent have not yet started their implementation. EU companies, excluding the U.K., are further along, with 27 percent reporting they are compliant, versus 12 percent in the U.S. and 21 percent in the U.K. 

While many companies have significant work to do, nearly three in four expect to be compliant by the end of this year and 93 percent by the end of 2019. While many companies still have a long way to go, a comparison to August 2017. About one in four companies spent more than $500,000 to become GDPR-compliant, while one in three plan to spend that amount on compliance efforts between June and December 2018. Percent of U.S. companies spent more than $1 million on compliance vx. 10 percent for U.K. 

and 7 percent for EU companies. Despite difficulties in becoming GDPR-compliant, 65 percent view GDPR as having a positive impact on their business, while 15 percent view the regulation as having a negative impact. Meeting customer expectations was the main driver to become compliant, much higher than concern for fines. Complexity of GDPR posed the biggest challenge to compliance. The vast majority said data privacy will become more important at their companies post-GDPR deadline, and 80 percent of companies plan to increase their spending on GDPR technology and tools to maintain compliance. 

Keywords: [“percent”,”companies”,”compliance”]

GDPR News Center News for 04-10-2018

GDPR Readiness: Compliance Deadline Looms, Confusion Remains

With Europe’s General Data Protection Regulation set for prime time on May 25, 2018, network security provider WatchGuard has produced a study looking at how well organizations understand the law, its impact on their business, and their readiness for the compliance deadline. Bottom line: Any company that stores or processes personal information about EU citizens must comply with the GDPR’s privacy laws. The study’s results show organizations still lack a clear understanding of exactly how it applies to them. Do they realize they’re adrift in treacherous waters – penalties for noncompliance are steep, up to four percent of global sales? Maybe yes, maybe nosome 44 percent of respondents don’t actually know how close their organization is to complying with the law. Who knows? 37 percent of organization don’t know if they need to comply with GDPR, while 28 percent believe their organization doesn’t need to comply at all. Of the organizations that don’t believe the law applies to them, 14 percent collect personal data from EU citizens. Some 28 percent that are unsure about GDPR compliance also collect this type of information. In the Americas, just 16 percent of organizations believe they’ll need to comply. Who’s ready? Despite knowing about GDPR for a while, only one in 10 companies said they’re 100 percent ready for it. Getting there: 86 percent of those organizations recognizing they need to comply with GDPR believe they have a compliance strategy in place with firewalls, VPN and encryption security technologies. Work left to do: 51 percent said their organization will need to make significant changes to their IT infrastructure in order to comply with GDPR. 5. The pressure is on: Respondents from organizations that are not yet GDPR compliant figure it will take them seven months to get the job done. About 48 percent are looking for third-parties to help out. Every company with access to data from European citizens needs to understand GDPR and its impact, said Corey Nachreiner, WatchGuard CTO. “Unfortunately, the data shows that an alarming amount of organizations are still unaware or mistaken about the necessity for GDPR compliance, leaving them three steps behind at this stage,” he said. “The only way to prevent unnecessary fines and frustration is to take a good hard look at the criteria, assemble a GDPR plan of action and begin implementing it immediately.”

Keywords: [“organization”,”percent”,”GDPR”]

The GDPR Overview

You’ve probably heard mention of the GDPR, and likely have many questions about its scope, implications, and potential effects, both on your own business, and for the domain industry as a whole. What is the GDPR?When is the GDPR going into effect?What is the purpose of the GDPR?How will the GDPR impact your business?How should you prepare?How is OpenSRS preparing?Resources. Lays out a new set of rules for how the personal data of people living within the EU should be handled. Clear, informed consent and individual control over the use of personal data are basic rights in the GDPR. Any business taking personal data must not only obtain consent, but also explain what they need the information for. The GDPR imposes requirements around how companies should address security breaches that expose sensitive personal information. What is the purpose of the GDPR? The GDPR helps protect individual privacy in the digital age. The European Union views the protection of personal data as nothing less than a fundamental human right, alongside other rights such as freedom of expression, freedom of thought, and the right to a fair trial. Although there are other existing privacy laws in effect already, the GDPR is different in its scope of applicability and because significant fines may be levied for non-compliance. The GDPR replaces the 1995 EU Data Privacy Directive, harmonizing privacy laws across the EU. Once it comes into effect on May 25, 2018, it will be law in all EU member states. You have customers who live in the EU. You now need to ensure that you’re obtaining permission from these customers to use their personal data, and meeting the updated requirements surrounding its handling. Before the GDPR comes into effect in May 2018, you’ll want to make sure you’re compliant. While the rules outlined in the GDPR apply only to EU-local individuals. How should you prepare for the GDPR? It’s important to get started now so you’re able to fully understand the implications the GDPR could have upon your business, and plan effectively to meet the updated requirements. We already store your data securely, but we’re doing some internal review to see how we can strengthen our protections to keep information safe. We would like to reinforce this point: Tucows does not share personal data beyond what’s needed to provide the service that the client ordered.

Keywords: [“GDPR”,”data”,”information”]

The GDPR will cause challenges for connected care developers

According to a new research report from the IoT analyst firm Berg Insight, the upcoming implementation of the General Data Protection Regulation in 2018 will cause challenges for companies in the telecare industry. Telecare and telehealth apps and devices are potentially generating huge amounts of data that could be used for various purposes. Today, data is increasingly more used to help patients without the need of the patient’s own active involvement. This includes various kinds of health data as well as user location and movement data which could be used to identify abnormalities. If a user does things differently, for example not leaving or going to the bed as usual, a notification can be sent to relatives or care givers. Legislative authorities in the EU are developing and designing legal frameworks that should be in line with the new data driven world of mobile health. As part of this, the European Commission will in 2018 implement a General Data Protection Regulation that aims to harmonise data protection rules in the EU, ensuring legal certainty for businesses and increasing trust on eHealth services with a consistent high level of protection of individuals. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive and it becomes enforceable from May 25 next year after a two-year transition period. It does not require national governments to pass any enabling legislation and will be directly binding and applicable. “While the future is data driven, end-users do care more and more about integrity aspects. The GDPR aims to increase privacy for the end-user which is a step in the right direction. The regulation by default actually prohibits processing of health data unless explicit consent has been given. At the same time, this will cause challenges for those telecare and telehealth solution providers that are not proactively working on their preparations.” “If the solution providers are not enough prepared for handling, processing and storing sensitive data in accordance to GDPR, they could risk heavy fines if not fulfilling the requirements”, says Anders Frick, senior analyst, Berg Insight.

Keywords: [“Data”,”Protection”,”GDPR”]

GDPR News Center News for 03-29-2018


As the Vice President of Global Advisory Services, Jamie focuses on information law, compliance, and governance issues. She has more than 17 years of in-house, government, and law firm experience, which she draws upon to advise corporations, particularly those in heavily regulated industries, on legal and compliance risk mitigation strategies. Common areas include ediscovery, digital investigations, data protection, legacy data remediation, and IT transformation initiatives. Jamie has worked for several leading financial institutions, including UBS in New York, where she was an Executive Director in Legal and Compliance and responsible for designing, implementing, and managing a centralized litigation and investigations response program to support the firm’s litigation and investigation matters worldwide. Jamie also worked for Barclays, leading and implementing a global program to reduce legal, regulatory, and privacy risk associated with legacy systems and data. Prior to corporate, Jamie spent several years in government service, first as a trial attorney in the Division of Enforcement at the U.S. Commodity Futures Trading Commission in Washington, D.C., and later, as Assistant General Counsel for the Agency, where she advised Enforcement attorneys on investigation techniques, strategies, and protocols on cases with global prominence. She also managed several key congressional investigations, Inspector General investigations, and internal investigations, including advising the Commission on strategy and risk mitigation. Jamie has testified in federal court and has qualified as an ediscovery expert. In her corporate and government roles, she served as a 30(b)(6) designee for formal and informal testimony, and regularly interfaced with regulators and Congress on ediscovery strategy and internal practices. Independently, Jamie has advised corporate legal departments on ediscovery best practices and operating model development and enhancement, particularly in the face of regulatory scrutiny. Jamie began her career as a litigation and government investigations associate at King and Spalding in Washington, D.C., and later, was a litigation partner at Fennemore Craig, in Phoenix, Arizona. Jamie is a graduate of Duke Law School and Arizona State University and a former law clerk to the Honorable Roslyn O. Silver of the U.S. District Court for the District of Arizona. She is a frequent speaker and lecturer at educational events and legal conferences internationally.

Keywords: [“investigation”,”Jamie”,”legal”]

60 percent of organizations aren’t ready for GDPR

With the deadline of May 2018 looming closer, a new survey shows 60 percent of respondents in the EU and 50 percent in the US say they face some serious challenges in being GDPR compliant. The study by data protection specialist Varonis polled 500 cyber security professionals in organizations with over 1000 employees in the UK, Germany, France and the US and finds more than half of professionals are concerned about compliance with the standard. 38 percent of respondents report that their organizations do not view compliance with GDPR by the deadline as a priority. 74 percent believe that adhering to GDPR will give them a competitive advantage over other organizations in their sector. What is seen as the biggest challenge varies by geography. For UK respondents, 58 percent think that implementing data protection by design poses the greatest challenge in meeting the GDPR, followed by the right to erasure. In the US security of processing is seen as the biggest challenge, followed by data protection by design. Both Germany and France see the right to erasure as the biggest challenge. “Things are moving in the right direction but some organizations are yet to get the groundwork done. Some have still to survey the data that they’re holding and the processes around it,” says Matt Lock, Varonis’ director of sales engineers and GDPR expert. “There’s still a long way to go. We also don’t know at this stage whether the ICO will have the resources to enforce GDPR.”. 36 percent of respondents in the UK, 35 percent in Germany and 42 percent in France report already being in compliance. In the UK, 51 percent of respondents say their organisation is more than 50 percent complete in their compliance process. One in four US respondents believe their firms don’t need to comply with GDPR. “There’s a growing acceptance that implementation of GDPR will be quite hard, people won’t just be able to tick a box on May 25th to say that they’re ready,” adds Lock. “Many organizations are realising it’s a monster task. We’re seeing lots of different approaches too, in many cases businesses are looking to get rid of data – which is a bit all or nothing – but there are also phased projects to identify data and ensure compliance. The big challenge for organizations now is just the wealth of data they collect. I think GDPR may be a driver for some businesses to reduce the amount of information they hold.” You can find out more in the full report which is available from the Varonis website.

Keywords: [“percent”,”GDPR”,”data”]

GDPR Services

EPI-USE Labs has developed a GDPR Compliance Suite for SAP and Data Secure™ Guidance and best practice: Knowledge and direction on where data is stored in SAP® Understanding the affected data types, and choices and processes to meet requirements. EPI-USE Labs has spent over twenty years in the SAP data space creating and developing advanced software solutions, and can also offer guidance and share expertise on GDPR. Data Disclose solution. Data Disclose is a unique software application which allows you to locate and display data across your SAP systems in seconds, with APIs to also connect non-SAP systems. It’s built on a solid foundation of existing technology and Intellectual Property by leveraging our well-established software product Data Secure suite), and can present the data in a flexible, encrypted company-branded PDF output. Because people have the right to ask for details about their data, organisations need to know which personal data is stored where, and for what purpose. With Data Disclose, we can help you shine a light on the dark dusty corners of your SAP system so you can see exactly where the data resides across systems. Tackling GDPR in detail: the importance of privacy, transparency and technology Personal Data Rights. GDPR aims to protect personal data rights such as the right to be informed, the right of access, the right of rectification, the right to erasure, the right to strict processing, the right to data portability, the right to object and rights to automated decision-making and profiling. Key requirements for GDPR Consent for storage must be given by the data subject. Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent, and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. The law does say that there must be documentation showing that data protection is by design, and that processes comply with the rights of the data subject. Imagine having to log into a number of SAP systems to download table entries, or take screenshots to show the data subject’s footprint. Your challenges include The complexity, volume and sheer scale of GDPR Lack of consistency: Every GDPR compliance project is different, depending on the industry, existing IT systems, usage of data, etc. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on.

Keywords: [“data”,”system”,”right”]

GDPR News Center News for 02-16-2018

Confusion and lack of preparation in the face of looming GDPR deadline

With the GDPR deadline set for 25 May next year, many organisations are ill-prepared due to uncertainty about the criteria for compliance. 37 percent of respondents to a Vanson Bourne survey simply don’t know whether their organisation needs to comply with GDPR, while 28 percent believe they don’t need to comply at all. According to the GDPR criteria, any company that stores or processes personal information about EU citizens must demonstrate compliance. Of the respondents who don’t believe the law applies to their organisation, one in seven collect personal data from EU citizens, while 28 percent of respondents unsure about compliance also said that they collect this type of information. The results show that many companies are misinterpreting which types of data constitute a mandate for compliance. “Once enforcement for this new legislation begins, companies all over the world will feel its impact. Unfortunately, the data shows that an alarming number of organisations are still unaware or mistaken about the need for GDPR compliance, leaving them three steps behind at this stage,” said Corey Nachreiner, CTO at WatchGuard. “In the Americas, just 16 percent of organisations believe they need to comply. With sensitive customer data and non-compliance fines at stake, every company with access to data from European citizens needs to ensure they truly understand GDPR and its ramifications.” While many organisations have been aware of GDPR for some time, just 10 percent of respondents – including those in the UK – believe their company is currently 100 percent ready. In another illustration of the lack of clarity and communication around GDPR, 44 percent of respondents stated that they don’t know how close their organisation is to compliance. Of those who reported that their organisation needs to comply with GDPR, the majority, 86 percent, believe they have a solid compliance strategy in place. 51 percent of those respondents believe that their organisation will need to make significant changes to their IT infrastructure in order to comply. Although the findings show that firewalls, VPN and encryption are the security measures most likely to be involved in compliance strategies, only 18 percent of respondents said that sandboxes would play a role in their GDPR plan. For organisations that are not yet GDPR compliant, respondents estimate it will take an average of seven months to complete the requirements. To bridge the gap, 48 percent of respondents’ organisations are, or might, seek assistance with compliance from an outside party. “Companies stand to lose four percent of their worldwide revenue if they haven’t met all the requirements by next May. The only way to prevent unnecessary fines and frustration is to take a good hard look at the criteria, assemble a GDPR plan of action and begin implementing it immediately.”

Keywords: [“percent”,”organisation”,”GDPR”]

Google and Facebook are Significantly Exposed to Disruption via GDPR

Substantial parts of Google and Facebook’s business will be disrupted by the EU’s new GDPR data protection rules that are due to apply in May 2018, according to Dr Johnny Ryan of PageFair, a company that specialises in helping publishers monetise their inventory in the face of ad-blocking. Under the new rules, both Google and Facebook will be unable to use the personal data they hold for advertising purposes without user permission. When a person uses Google or, they willingly disclose personal data. The application of the GDPR will prevent them from using these personal data for any further purpose unless the user permits. Google has a Large Number of Products Exposed to GDPR. PageFair’s estimate of Google, when applied to the GDPR scale, shows a significant range of products at four on the scale. PageFair gave all personalised advertising on Google sites such as Search, Youtube, Maps, and the websites where Google provides advertising is scored four because it will require that users opt-in to extensive tracking. Google might have a get-out if users have already “Signed in” to Google Search or Chrome, in which case they might argue that those services are “Compatible” with what users signed up for. “Operating these under the GDPR would require not only that a user consents to Google’s use of data for advertising targeting purposes, but to the many other companies such as DMPs, DSPs, and so forth processing these data too. The DoubleClick business is therefore at four on the scale.” “Remarketing lists for search ads”, retargeting from site visitors by using Google Analytics, is likely to be prevented by the ePR. Gmail might also be affected as Google mines the content and metadata of each email message sent and received in Gmail to target advertising. As Ryan notes, this could not have continued under the GDPR and ePR without each sender and recipient giving their consent, and he suggests that this might be the real reason, or at least a contributing reason, behind Google’s recent announcement that it will stop mining people’s emails for ads. Interestingly, Google’s AdWords product has the benefit that it can be modified to operate entirely outside the scope of the GDPR and ePR, which is is why it appears at four on the scale, and at one. Ryan says that if Google discards personalised targeting features from AdWords, then it can continue to target advertisements to people based on what they search for. Finally, at zero on the scale is Google’s “Placement-targeted” advertisements. Audience Network is scored four because it requires the processing of personal data from Facebook. WhatsApp advertising is also scored four on the scale because it will be necessary for users to give their consent for their personal data on WhatsApp to be processed for purposes unrelated to WhatsApp functionality on Facebook.

Keywords: [“Google”,”data”,”advertiser”]