What is the Difference Between a Controller and a Processor in GDPR?
Apr20

What is the Difference Between a Controller and a Processor in GDPR?

The General Data Protection Regulation (GDPR) makes frequent reference to data controllers and data processors, but what is the difference between a controller and a processor under the GDPR? When the GDPR comes into effect on May 25, 2018, both data controllers and data processors will have specific duties which they must fulfill. Under the existing regulations, data processors do not have statutory responsibilities. This will change with the GDPR’s introduction. As a result, organizations will need to ensure that they are aware of whether they will be classified as data controllers or data processors. If they are unsure, they run the risk of failing to comply with the strict standards and criteria expected of them under the new law. They should also know where they stand in order to implement the necessary data protections and procedures, if applicable. Data Controllers The GDPR has kept the categorization of data controllers and data processors the same as it appears in the existing legislation. A data controller decides, either alone or in concert with other groups, why data is...

Read More
Overview of GDPR Article 35
Apr20

Overview of GDPR Article 35

The General Data Protection Regulation (GDPR) is a highly complex piece of legislation, but entities should pay particular attention to ensure they have a clear overview of Article 35 and understand how their activities may create risks for individuals, as well as for themselves. The GDPR is a wide-ranging European privacy law, governing and protecting the data of people living in the EU. It will come into effect on May 25, 2018. Article 35, Data protection impact assessment, is the first Article in Section 3, Data protection impact assessment and prior consultation. As certain data processing activities use novel techniques or include the processing of more sensitive data, they may present a high risk to data subjects – the people the data refers to. Article 35 describes when and how a data controller should carry out a data protection impact assessment in order to identify and minimize or address these risks. What Type of Data Requires an Assessment? The processing of certain data types will always require a data protection impact assessment prior to any processing being...

Read More
GDPR Password Requirements
Apr18

GDPR Password Requirements

Although the text of the General Data Protection Regulation frequently refers to “appropriate safeguards”, “appropriate security”, and “appropriate measures”, there is no specific mention of GDPR password requirements. However, an appropriate GDPR password policy should be part of a Data Protection Impact Assessment. The primary objectives of the European General Data Protection Regulation (GDPR) are to update data protection laws across the European Economic Area (EEA) and to standardize how EU member states apply the laws by creating rules relating to “the protection of natural persons with regard to the processing of personal data”. GDPR also creates rules for the free movement of personal data within the EEA, and restricts the migration of data outside of approved jurisdictions. In order to achieve these objectives, the Regulation consists of 99 Articles and 173 Recitals. It is significant that after the first four Articles (which relate to the objectives and definitions), the first Article of any real substance stipulates that personal data shall be “processed in a manner that...

Read More
What Countries are Affected by the GDPR?
Apr17

What Countries are Affected by the GDPR?

What Countries are affected by the GDPR is a common GDPR question. The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation that was accepted on April 27, 2016. The GDPR will come into force on May 25, 2018. While it is a piece of  EU legislation, institutions located outside of the EU must be aware of its implications and be on their guard to avoid violating it. The physical location of the organization does not exempt or shield it from facing the consequences of non-compliance. Institutions with offices in an EU country or that collect, process or store the personal data of anyone located within an EU country are required to comply with the GDPR. As businesses and other organizations often have an international focus and reach, it is quite probable your entity will be required to comply with the GDPR – especially if it is an entity that operates or offers services via the Internet. Main Countries Affected by the GDPR As mentioned above, the physical location of the institution, organization or business is not as important in determining the need to comply...

Read More
Legal Bases for Processing Personal Data Under GDPR
Apr14

Legal Bases for Processing Personal Data Under GDPR

We are mere weeks away from the introduction of the General Data Protection Regulation (GDPR) and a number of groups are still confused as to the acceptable legal bases for processing personal data under GDPR. From May 25, 2018, onward, all personal data relating to individuals living in the European Union (EU) will be protected by the new law. Entities involved in processing the personal data of these individuals will be governed by the GDPR. Even groups located outside of the EU must comply with the regulation if they process the data of people based inside of the EU. As part of the GDPR, personal data cannot be processed for any goal that an organization may just be curious about. As noted above, the acceptable reasons are causing some confusion. Article 6 of the Regulations, Lawfullness of processing, states that “[data] processing shall be lawful only if” the processing is being conducted for one of six legitimate reasons. These reasons include: 1. The person has provided active consent for their data to be processed for one or more specific purposes. There is no blanket...

Read More