GDPR: What is the Role of the Data Protection Officer?
Jul13

GDPR: What is the Role of the Data Protection Officer?

Many businesses required to comply with GDPR must appoint a Data Protection Officer, but what is the role of the Data Protection Officer and what types of companies are required to appoint a DPO? The General Data Protection Regulation (GDPR) requires all companies that collect or process the personal data of EU residents to develop policies and procedures covering the collection, processing, and management of personal data of data subjects. GDPR also requires security controls to be implemented to ensure the confidentiality, integrity, and availability of personal data. The deadline for compliance with GDPR was May 25, 2018. One requirement of GDPR is the appointment of a Data Protection Officer whose main role is to oversee compliance. Does GDPR Require All Companies to Appoint a Data Protection Officer? Article 37 of the GDPR explains the requirement for designating a Data Protection Officer in an organization. Generally speaking, large companies – those that employ more than 250 people – are required to appoint a Data Protection Officer. Smaller companies, those with fewer...

Read More
How Does GDPR Apply to Medical Devices?
Jul05

How Does GDPR Apply to Medical Devices?

The European Union’s General Data Protection Regulation came into force on May 25, 2018 and applies to healthcare providers who collect or process the personal data of data subjects residing in the EU, but how does GDPR apply to medical devices? How Does GDPR Apply to Medical Devices? Medical devices can collect a range of personal data – data that are considered ‘high risk’ with respect to the rights and freedoms of data subjects. As such, there are many aspects of GDPR that apply to medical devices. Consent Must be Obtained Prior to medical devices being used, it is important for consent to collect and process data to be obtained from the data subject. Explicit consent must be obtained, which means the data subject must freely give their specific, informed consent through a clear affirmative action. Any consent form must be written in clear and plain language that can be easily understood and the data subject must be made aware of the data that will be collected, how they will be used. See Article 7 of the GDPR. Consent is especially important for ‘special category’ of personal...

Read More
California Passes GDPR-Style Data Privacy Law
Jul02

California Passes GDPR-Style Data Privacy Law

AB 375, the California Consumer Privacy Act of 2018, has been signed into law. The bill was signed by California governor Jerry Brown on Thursday after the state Senate and Assembly passed the bill unanimously. California already has some of the strictest privacy laws in the United States. Under existing legislation, companies that experience a breach of personal information must notify affected individuals if their computerized data is exposed or stolen. This law takes privacy protections much further and gives state residents several new GDPR-style privacy rights, including: The right to request information from businesses about the types of personal data that are collected and processed and the source of that information Be informed about the purpose for collecting, using, and selling personal data Categories of third parties with whom the information is shared The right to request a copy of all personal information collected by a business The right to have all personal information deleted on request The right to request personal information is not sold The right to initiate...

Read More
GDPR Right to Access Personal Data
Jun29

GDPR Right to Access Personal Data

Healthcare organizations that market their services to residents in the EU or provide medical services to EU residents that requires the collection of their personal information are required to comply with the EU General Data Protection Regulation (GDPR). One aspect of compliance that is of particular relevance to healthcare organizations is the GDPR right to access personal data. Any EU resident has the right to request access to all of their personal data and view any supplemental data attached to their file. Data subjects are more likely to exercise this right with healthcare organizations that other organizations that hold their data as it is especially important that this information is correct. They may also require the data to pass on to other healthcare organizations. The rights of data subjects with respect to subject access requests (SARs) are detailed in GDPR Article 15. The GDPR Right to Access Personal Data If a data subject chooses to exercise their GDPR right to access personal data, the request must be honored within 30 days. The data subject is permitted to obtain...

Read More
What are the GDPR Rules for Recording Calls?
Jun21

What are the GDPR Rules for Recording Calls?

Many companies record telephone calls for ‘quality and training purposes’ and to help resolve customer disputes, but since May 25, 2018 GDPR Rules for recording calls must be followed. GDPR Rules for Recording Calls Any company, regardless of its location, must comply with GDPR Rules for recording calls if the company has dealings with EU residents. Call recording can continue under GDPR, as recording telephone conversations is not prohibited, but there are now additional requirements to protect the rights and freedoms of data subjects under GDPR. As with the use of cookies on websites and other forms of data collection, it can only take place if the data subject gives their consent (GDPR Article 7). Previously, in order to comply with existing regulations, companies would advise people that the calls may be recorded for a particular purpose and consent was obtained when the customer continued with the telephone call. The customer’s silence or lack of action was taken to mean that consent was being provided. However, GDPR Rules for recording telephone calls require consent to be...

Read More
A Third of Healthcare Organizations Expected to Miss GDPR Deadline
Jun14

A Third of Healthcare Organizations Expected to Miss GDPR Deadline

Healthcare organizations that treat patients from the EU or target EU residents and collect their data are required to comply with the EU’s General Data Protection Regulation. The EU regulation came into force on May 25, 2018. Any healthcare organization that is required to comply with GDPR and fails to do so faces a substantial financial penalty for noncompliance. The fines for noncompliance with GDPR are far in excess of those for HIPAA violations. The maximum penalty for a HIPAA violation is $1.5 million per violation category, per year. The fine for noncompliance with GDPR is up to €20 million ($23 million) or 4% of global annual turnover, whichever is the greater. The final text of GDPR was adopted on April 14, 2016, giving all entities more than two years to implement the appropriate privacy and security controls and develop policies and procedures in line with GDPR. Even so, many organizations put GDPR compliance on the back burner until 2018 and have run out of time. Many organizations in the United States are still on the road to compliance even though the deadline has...

Read More
Rights of Data Subjects Under GDPR
Jun11

Rights of Data Subjects Under GDPR

What are the rights of data subjects under GDPR? Find out more about what GDPR means to data subjects, data controllers, and data processors. The EU’s General Data Protection Regulation (GDPR) came into force on May 25, 2018. The main purposes of the directive are to ensure data protection laws are standardized across all member states and to expand the rights of data subjects. Under GDPR, data subjects have greater control over who collects their data, how the information is used, and for how long. GDPR: Rights of Data Subjects The rights of data subjects under GDPR are detailed in Chapter 3 – Articles 12 to 23. There are eight fundamental rights under GDPR. 1.      Right to Access Personal Data Under GDPR, data subjects have the right to access the data collected on them by a data controller. The data controller must respond to that request within 30 days (Article 15). 2.      Right to Rectification Data subjects have the right to request modification of their data, including the correction or errors and the updating of incomplete information (Article 16). 3.      Right to...

Read More
GDPR Correction and Rectification Requirements
Jun06

GDPR Correction and Rectification Requirements

From May 25, 2018, GDPR correction and rectification requests must be honored. Data subjects – EU residents – have the right to access the personal data collected by data controllers and view any supplemental data attached to their files. If data subjects access their personal data and notice some information is incomplete or incorrect, they have the right to have that information corrected to ensure their data are accurate and complete. If any information in a personal data file is incorrect or out of date, the data subject can request the information be corrected, edited or removed. Requests can be made orally or in writing. When such a request to access personal data is received, or when a correction or rectification is requested, the data controller is required to respond as soon as possible but no later than 30 days after the request has been made. To ensure compliance with the GDPR correction and rectification requirements, businesses must have developed and implemented policies and procedures to allow them to respond in a timely manner. Those policies and procedures should...

Read More
What is GDPR Special Category Data?
May26

What is GDPR Special Category Data?

Under GDPR, companies have obligations regarding the personal data of data subjects, but there is also a separate category of data that is treated differently – GDPR special category data. What is GDPR special category data and how do the rules differ for processing that information. GDPR Special Category Data GDPR special category data is personal information of data subjects that is especially sensitive, the exposure of which could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination. GDPR special category data includes the following information: Race and ethnic origin Religious or philosophical beliefs Political opinions Trade union memberships Biometric data used to identify an individual Genetic data Health data Data related to sexual preferences, sex life, and/or sexual orientation Because these data elements are particularly sensitive, a company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. Companies are prohibited from collecting or...

Read More
The GDPR Right to Object Explained
May25

The GDPR Right to Object Explained

Under the General Data Protection Regulation (GDPR), data subjects can object to certain uses of their data, but what exactly is the GDPR right to object, what can data subjects legitimately object to, and what must companies do when an objection is received from a data subject? The GDPR Right to Object The GDPR right to object is detailed in Article 21 of the GDPR. From May 25, 2018 – the compliance date for the GDPR – businesses must have developed policies and procedures for dealing with objections from data subjects. The GDPR right to object allows data subjects to object to certain types of data processing and stop a company from continuing to process their personal data. There are only certain situations when a legitimate right to object can be sent to a company. These are: Direct marketing The processing of personal data for statistical purposes related to historical or scientific research The processing of data for tasks in the public interest The exercising of official authority invested in you Objections to data processing in yours or a third party’s legitimate interest...

Read More
Do You Have a GDPR Data Retention Policy?
May17

Do You Have a GDPR Data Retention Policy?

All companies that collect or process the personal information of EU residents must ensure they have a compliant GDPR data retention policy, but what should that entail? GDPR Data Retention Rules Article 5 explains that when personal data are collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Those purposes must be clearly explained at the time of collection. Under GDPR, organizations are required to adhere to the minimization principle, which applies to the amount of personal data stored and the length of time the information is retained. When data need to be retained, appropriate security controls should be applied to prevent the unauthorized accessing, use, or processing of data and measures should be implemented to prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data retained remain accurate and are kept up to date and inaccurate data are removed. GDPR data retention is covered in Article 5(e), which explains that...

Read More
GDPR Exemptions: Who is Exempt from GDPR Requirements?
May11

GDPR Exemptions: Who is Exempt from GDPR Requirements?

The General Data Protection Regulation comes into force on May 25, 2018 and companies that collect or process the personal data of EU residents are required to comply with the GDPR, although there are limited GDPR exemptions and derogations. Who Must Comply with the Requirements of GDPR GDPR is concerned with ensuring the privacy and data rights of EU residents are protected. GDPR may be an EU law, but GDPR applies to all companies. It does not matter where a company is located, whether it is based in the EU or in a non-EU country, compliance with GDPR is mandatory. There are many misconceptions about GDPR exemptions, such as whether GDPR applies to small businesses, individuals, or companies whose websites are accessible in the EU. Apart from limited GDPR exemptions, all companies – regardless of their size – are required to comply with GDPR if they offer free or paid goods or services to EU residents or monitor their behavior. Who is Exempt from GDPR? There are limited GDPR exemptions related to the processing of personal data as detailed below: When data are processed during the...

Read More
Does GDPR Apply to EU Citizens Living in the US?
May11

Does GDPR Apply to EU Citizens Living in the US?

The term ‘European Union citizen’ is often used when explaining General Data Protection Regulation (GDPR) requirements, but what happens when an EU citizen leaves the EU? Does GDPR apply to EU citizens living in the US or in other non-EU countries? Does GDPR apply when EU citizens vacation in non-EU countries? What happens when Americans visit an EU country? They are clearly not EU citizens but are temporarily located in the EU. How does GDPR apply to US citizens living in an EU country or visiting on vacation or for business. Does GDPR Apply to EU Citizens Living in the US? Use of the phrase European Union citizen is not helpful when dealing with GDPR because GDPR is not concerned with citizenship, instead it is concerned with where a person is located. The term EU resident is more useful, or a person located in the EU. GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer...

Read More
The Cost of GDPR Compliance
May04

The Cost of GDPR Compliance

As the introduction of the General Data Protection Regulation on May 25, 2018, draws nearer, many are realizing the cost of bringing their organizations into compliance with the GDPR. A recent study by a legal tech company, Axiom, noted that Fortune 500 and FTSE 100 companies may need to spend an estimated £800 million to review contracts and verify that they are in compliance with the GDPR. While not everyone will need to spend as much, there will still be money that needs to be found to assess and implement the necessary elements to continue operating without violating the GDPR. Two of the major areas that are likely to dictate the overall cost to organizations related to the GDPR are their current processes and the nature and scale of the data they manage. How Will GDPR Compliance Cost Money? Arguably, the most significant cost related to GDPR compliance will be the cost of auditing and classifying the data that is held. This is an incredibly important step to take, as it will lead to the identification of the data types being stored or processed; it should identify the risks...

Read More
GDPR High Risk Data Processing
May03

GDPR High Risk Data Processing

The imminent introduction of the Genera Data Protection Regulation (GDPR) on May 25, 2018, has many questioning what types of data or data processing are considered high risk or very high risk under the new law. As one of the main goals of the GDPR is to legislate data protection procedures concerning individuals within the European Union (EU), the concept of levels of risk may be of great importance to ensuring compliance. The GDPR should harmonize how the data of those located within the EU is collected, stored, and processed. These new rules will not just concern organizations located in EU member states, but also organizations located anywhere across the globe that manage data collected within the EU. To ensure compliance, groups will need to review their procedures and modify them to meet the criteria of the regulations. A first step for many will be a Data Protection Impact Assessment to audit and assess the personal data that they currently possess. Indeed, this is a required measure under the GDPR which states “the likelihood and severity of the risk to the rights and...

Read More
A Comparison of the Privacy Shield and the GDPR
May02

A Comparison of the Privacy Shield and the GDPR

With the introduction of the General Data Protection Regulation (GDPR) fast approaching, many are wondering how it compares to or will integrate with other privacy and security laws and agreements, such as the Privacy Shield. As the GDPR will come into effect on May 25, 2018, it is important to clear up any confusion as quickly as possible. A central goal of the GDPR is to ensure that the personal data of people in the European Union (EU) will be protected, and that any storage or processing of this data will only be done in countries that have very strict legislation governing data protection. Currently, the legal safeguards and frameworks that exist within the United States (US) do not reach the standards required by the EU and the GDPR. This would mean that businesses and organizations based in the US would not be permitted to process data from EU countries. The Privacy Shield agreement was made to allow individual US based organizations to prove that their data protection procedures are at a high enough level to allow them to process data from EU countries. How Does the Privacy...

Read More
GDPR Definition of Personal Data
May01

GDPR Definition of Personal Data

The General Data Protection Regulation (GDPR) will govern how personal data collected within the European Union (EU) must be treated, but what is the GDPR definition of personal data? This question has been causing confusion for certain organizations but they still must have their systems in place to correctly process and collect data before the law come into force on May 25, 2018. The term “personal data” is defined in the text of the GDPR’s Article 4, Definitions, but the definition which is given is very broad and intentionally vague. This means that groups must be careful with almost any data that they collect or process. There may even be differences in what is counted as personal data based on the activities, data collected, or processing requirements of the data controller or data processor – it is possible that context will play a role in what is defined as personal data. The definition stated in Article 4 is that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be...

Read More
Does GDPR Apply to Employees?
Apr30

Does GDPR Apply to Employees?

The introduction of the General Data Protection Regulations (GDPR) is just around the corner and many organizations are wondering whether the GDPR also applies to data concerning employees, as well as to data related to clients or customers. The short answer to this is yes, employee data is subject to the same protections as client and customer data under the GDPR. When groups design their systems to be GDPR compliant, they must not forget to review and modify the systems that deal with internal staff information. This will also mean that staff members will have similar rights to clients and customers in relation to requesting copies of their stored data and other areas. Organizations will face penalties for mismanagement or misconduct of employee data the same as they would for mishandling or violating the rules for data concerning individuals external to the group. How Should Human Resources Prepare? As the majority of data relating to employees will be held and processed by the Human Resources (HR) department, it will be crucial for HR staff members to gain a strong working...

Read More
GDPR and Cold Emailing
Apr27

GDPR and Cold Emailing

As mentioned above, cold emailing is not completely banned or prohibited by the GDPR but it has placed restrictions on how cold emailing can be used. Unrequested marketing materials cannot just be sent out to random email addresses. Doing so could even result in penalties against the organization. Audience targeting for cold emailing will become much more important under the GDPR. Some strong indication that the recipients will be interested in the subject matter must be able to be demonstrated by the sender. Something such as their job title or business area may be enough to defend contacting the target, but more information should be included when available. Obviously, any information used to support contacting an individual must be obtained legally and transparently. Other criteria that must be met include: Emails should have their subject matter and topics plainly visible The email should be personalized to the recipient. This is another area where target and subject relevance is crucial An unsubscribe option must exist to enable recipients to opt out from receiving future...

Read More
GDPR Consent for Existing Customers
Apr26

GDPR Consent for Existing Customers

With less than a month to go before the introduction of the General Data Protection Regulation (GDPR), many companies are wondering whether they need to request consent from their existing customers in order to process or continue processing their data. There are a number of conditions that must be met for consent to be valid under the GDPR. These include consent having been given freely by an informed individual for a specified purpose. On a superficial level, these are the same as the criteria which must be followed under the existing law. As a result, many organizations may feel that their user and customer consent does not need to be reviewed. However, the GDPR makes some amendments to how consent can be acquired, given, or implied. It is important that groups make note of these additional requirements when assessing the consent of their existing customers and when requesting consent from new and future customers. Below, we review some of the more important aspects that must be respected. If these have not been applied, existing consent may not be valid and the company may be...

Read More
Comparison of European and American Privacy Law
Apr25

Comparison of European and American Privacy Law

With the introduction of the General Data Protection Regulation (GDPR) just around the corner on May 25, 2018, many people are wondering how the new European law will compare to American privacy laws. An important point to note from the outset is that the GDPR will not just apply to organizations based within the EU, but to any organization which collects or processes the data of individuals based in the EU. The chief determining factor of GDPR applicability is the location of the data subject, not the location of the company. To further clarify this point, many organizations believe that the GDPR only applies to EU citizens. This is not the case. If the data has been collected in the EU, even if the data relates to a non-EU citizen, the information is subject to the protections of the GDPR and the controller and processing entities must treat it in compliance with these rules. Similarly, should a citizen of an EU country have their data collected and processed outside of the EU, their data is not subject to the GDPR protections as it was not collected within the EU. As well as...

Read More
GDPR Exemptions
Apr24

GDPR Exemptions

The soon-to-be-introduced General Data Protection Regulations (GDPR) will govern how organizations store and process personal data relating to people living in the European Union (EU), but some exemptions can be made under the new legislation. Coming into effect on May 25, 2018, there is still a certain amount of confusion relating to how the GDPR will work and how it will interact with member states’ laws. Below, we will try to clear up some of this confusion. GDPR vs National Law A chief aim of the GDPR is to harmonize the rules concerning data processing across the EU. Even with this as a goal, there will still be a certain amount of leeway and discretion permitted for each individual EU member state to legislate some aspects of how data management is policed. GDPR Article 23, Restrictions, presents a set of acceptable reasons for which a member state may introduce a law restricting some of the rights otherwise granted in the other articles of the GDPR. These reasons include: security and defense prevention, detection, investigation, or prosecution of crime or breaches of ethics...

Read More
GDPR Data Breach Notification Rules
Apr23

GDPR Data Breach Notification Rules

The General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, makes a number of changes to how organizations can use personal data, but it has also changed the rules of how data breach notifications should be issued. Both data controllers and data processors are obligated to put sufficient apparatus and methods to safeguard the information they hold and process in place. While exact means are not specified, it is stated in Article 32, Security of processing, and several other times in the legislation, that the “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” should be implemented. A non-exhaustive list of examples of security measures that may be considered is also given. The list includes pseudonymization and encryption, as well as procedures to ensure the confidentiality of data, to quickly restore access to data following incidents, and to regularly test the security measures. The security system and procedures must be documented so that compliance with the regulations can be proven. If an...

Read More
What is the Difference Between a Controller and a Processor in GDPR?
Apr20

What is the Difference Between a Controller and a Processor in GDPR?

The General Data Protection Regulation (GDPR) makes frequent reference to data controllers and data processors, but what is the difference between a controller and a processor under the GDPR? When the GDPR comes into effect on May 25, 2018, both data controllers and data processors will have specific duties which they must fulfill. Under the existing regulations, data processors do not have statutory responsibilities. This will change with the GDPR’s introduction. As a result, organizations will need to ensure that they are aware of whether they will be classified as data controllers or data processors. If they are unsure, they run the risk of failing to comply with the strict standards and criteria expected of them under the new law. They should also know where they stand in order to implement the necessary data protections and procedures, if applicable. Data Controllers The GDPR has kept the categorization of data controllers and data processors the same as it appears in the existing legislation. A data controller decides, either alone or in concert with other groups, why data is...

Read More
Overview of GDPR Article 35
Apr20

Overview of GDPR Article 35

The General Data Protection Regulation (GDPR) is a highly complex piece of legislation, but entities should pay particular attention to ensure they have a clear overview of Article 35 and understand how their activities may create risks for individuals, as well as for themselves. The GDPR is a wide-ranging European privacy law, governing and protecting the data of people living in the EU. It will come into effect on May 25, 2018. Article 35, Data protection impact assessment, is the first Article in Section 3, Data protection impact assessment and prior consultation. As certain data processing activities use novel techniques or include the processing of more sensitive data, they may present a high risk to data subjects – the people the data refers to. Article 35 describes when and how a data controller should carry out a data protection impact assessment in order to identify and minimize or address these risks. What Type of Data Requires an Assessment? The processing of certain data types will always require a data protection impact assessment prior to any processing being...

Read More
GDPR Password Requirements
Apr18

GDPR Password Requirements

Although the text of the General Data Protection Regulation frequently refers to “appropriate safeguards”, “appropriate security”, and “appropriate measures”, there is no specific mention of GDPR password requirements. However, an appropriate GDPR password policy should be part of a Data Protection Impact Assessment. The primary objectives of the European General Data Protection Regulation (GDPR) are to update data protection laws across the European Economic Area (EEA) and to standardize how EU member states apply the laws by creating rules relating to “the protection of natural persons with regard to the processing of personal data”. GDPR also creates rules for the free movement of personal data within the EEA, and restricts the migration of data outside of approved jurisdictions. In order to achieve these objectives, the Regulation consists of 99 Articles and 173 Recitals. It is significant that after the first four Articles (which relate to the objectives and definitions), the first Article of any real substance stipulates that personal data shall be “processed in a manner that...

Read More
What Countries are Affected by the GDPR?
Apr17

What Countries are Affected by the GDPR?

What Countries are affected by the GDPR is a common GDPR question. The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation that was accepted on April 27, 2016. The GDPR will come into force on May 25, 2018. While it is a piece of  EU legislation, institutions located outside of the EU must be aware of its implications and be on their guard to avoid violating it. The physical location of the organization does not exempt or shield it from facing the consequences of non-compliance. Institutions with offices in an EU country or that collect, process or store the personal data of anyone located within an EU country are required to comply with the GDPR. As businesses and other organizations often have an international focus and reach, it is quite probable your entity will be required to comply with the GDPR – especially if it is an entity that operates or offers services via the Internet. Main Countries Affected by the GDPR As mentioned above, the physical location of the institution, organization or business is not as important in determining the need to comply...

Read More
Legal Bases for Processing Personal Data Under GDPR
Apr14

Legal Bases for Processing Personal Data Under GDPR

We are mere weeks away from the introduction of the General Data Protection Regulation (GDPR) and a number of groups are still confused as to the acceptable legal bases for processing personal data under GDPR. From May 25, 2018, onward, all personal data relating to individuals living in the European Union (EU) will be protected by the new law. Entities involved in processing the personal data of these individuals will be governed by the GDPR. Even groups located outside of the EU must comply with the regulation if they process the data of people based inside of the EU. As part of the GDPR, personal data cannot be processed for any goal that an organization may just be curious about. As noted above, the acceptable reasons are causing some confusion. Article 6 of the Regulations, Lawfullness of processing, states that “[data] processing shall be lawful only if” the processing is being conducted for one of six legitimate reasons. These reasons include: 1. The person has provided active consent for their data to be processed for one or more specific purposes. There is no blanket...

Read More
Personally Identifiable Data under the GDPR
Apr11

Personally Identifiable Data under the GDPR

With the introduction of the General Data Protection Regulation (GDPR) only weeks away, all groups involved in processing the personal data of individuals based in the EU should be aware of their duties under the new law and should be aware of their obligations when processing Personally Identifiable Data under the GDPR. What is Personally Identifiable Data? Personally Identifiable Data is a term used to refer to any piece of information which, either alone or when supported by additional information, allows for the identification of a living person. In the past this was mostly used to designate home addresses or telephone numbers, however this has evolved with the greater presence of technology and mobile devices in everyday life. Recently, the term Personally Identifiable Data can be used when talking about IP addresses, email addresses, social media identifiers, or online images. These elements are not always classified as Personally Identifiable Data, but they may be, depending on the context: a username, or an IP address may be enough to directly identify someone; in contrast,...

Read More
GDPR Call Recording Regulations
Apr10

GDPR Call Recording Regulations

The General Data Protection Regulation (GDPR) call recording regulations will come into force on May 25, 2018. How will the GDPR affect how entities collect, process and store phone calls and phone information? In this article, we will examine the potential impact the GDPR may have on recording phone calls and some steps entities can take to comply with the regulations. Anyone who has ever called a business or customer service line will be familiar with the automatic notice informing them that their call is likely to be recorded. Call recording is a common practice as it allows companies and organizations to monitor their customer care employees, have real world examples for training purposes, and have a definitive reference in case of a customer complaint or any other contentious issue. Given the many important functions that are served by call recording and the enduring preference of many people to call companies for assistance or other reasons instead of using online chats or tools, call recording is likely to be an option that organizations will continue to use for the...

Read More
GDPR Best Practices
Apr10

GDPR Best Practices

With the May 25, 2018, introduction of the General Data Protection Regulation (GDPR) fast approaching, enterprises and organizations must ensure they are up-to-date with and understand the emerging GDPR compliance best practices. As the penalties for GDPR violations are quite severe, it is in the interest of all concerned groups to put these best practices into place. Aside from avoiding sanctions, following GDPR rules can boost a company’s image among consumers. Robust protections and confidence in data security may lead people to more freely share their data with organizations, without them worrying as much about the risk of information breaches. Having said all this, we now present some GDPR best practices which your group may consider implementing. What is the Purpose of the GDPR? A simple but often overlooked first step is taking the time to understand what the purpose of the GDPR is. People follow rules more readily when they know why they are being put in place. A central goal of the GDPR is to allow individuals based in the EU to have more say in how their information is...

Read More
GDPR Documentation Requirements
Apr08

GDPR Documentation Requirements

The new European Union (EU) General Data Protection Regulation (GDPR) will take effect from May 25, 2018 and has specific GDPR documentation requirements. When this happens, institutions and entities that process or store personal data relating to EU residents will be obliged to follow the standards set out in this new law. One particular area to note is the GDPR documentation requirements, outlined in Article 30: Records of processing activities. In their capacity as data controller, groups will be required to record how they process data and other aspects of their data processing activities. Failure to do so could result in hefty fines or other serious penalties. Article 30 of the law lists a number of records that must be maintained by the data controller or the representative acting on their behalf. The list includes basic information; such as the name and address of the data controller, their Data Protection Officer (if relevant), and their representative; as well as the purpose of the processing. It also includes some more detailed information relating to transfers of data to...

Read More
Does GDPR apply to Canada?
Mar19

Does GDPR apply to Canada?

Many Canadian companies are investigating the question: does GDPR apply to Canada and Canadian companies? While there are existing laws in place to facilitate the flow and exchange of information, including personal data, between groups based within the European Union (EU) and groups based in Canada, the introduction of the General Data Protection Regulation (GDPR) on May 25, 2018, will quite probably impact and change the current situation. The Personal Information Protection and Electronic Documents Act, known as PIPEDA, is the name of the law that is currently in effect. The EU does not have an overly favorable view on PIPEDA’s ability to hold Canadian entities to the standards necessary to comply with the GDPR. In any case, no matter where they are based – be it Canada, Colombia, China, or Cyprus – entities that process or store personal data relating to people living within the EU will need to follow the rules laid down in the GDPR. What Action do Canadian  Companies Need to Take? Companies based in Canada will need to review and take stock of the information they have...

Read More
Overview of the GDPR
Jan14

Overview of the GDPR

The content of the General Data Protection Regulation, or GDPR for short, was confirmed as long ago as 2015. It is due to become law on the 25th of May 2018, from which date the details outlined in this GDPR overview become applicable. From then on, a business or an organisation which falls under the remit of the GDPR, and yet fails to comply with it, may face the imposition of significant fines or other sanctions. The magnitude of any fine under the GDPR will be a decision for the appropriate Data Protection Authority (DPA). While the different member states of the EU will have their own DPAs, it is anticipated that there will be ongoing discussion between the various DPAs, so as to make sure that there will be some degree of consistency throughout the European Union. Consistency was one of the main motivations for the introduction of the GDPR. Another key reason is to offer EU citizens greater control over how their personal data is used. What are the main consequences of the GDPR for companies and organisations? As noted above, failing to comply with the requirements of the GDPR...

Read More
Upgrading Software to comply with GDPR
Jan13

Upgrading Software to comply with GDPR

The General Data Protection Regulation (GDPR) comes into force on the 25th of May 2018 and any business that aspires to be GDPR compliant needs to be fully aware of the software upgrades that its IT systems will need to ensure that compliance. It may be the case that your business requires an upgrade of the software that it currently uses, or an alternative software solution might be required. What is the impact of GDPR on your business? To begin with, we should take a look at what the General Data Protection Regulation actually is. The intention of the GDPR is to provide some uniformity in the manner in which personal data is processed in European Union member states. However, the GDPR does not only affect Europe. It also introduces new and extended rights for all data subjects who are citizens of EU countries. That is to say that any organisation which processes the personal data of a European citizen must comply with the GDPR, no matter which continent it is based in. If you are not overly familiar with the terms of the GDPR, it might be helpful to consult the guidance of the...

Read More
Best Practice Under the General Data Protection Act
Jan11

Best Practice Under the General Data Protection Act

On the 25th of May 2018, the EU’s General Data Protection Regulation (GDPR) will become law. It is therefore crucial for organisations and businesses to be fully informed as to what are GDPR best practices. Failing to put these GDPR best practices into action may result in a business being ruled to be non-compliant with the new Regulation, the consequences of which being weighty fines or sanctions. Clearly, no company will want to risk that. Obviously, a GDPR compliant business will also have the additional benefit of maintaining the trust of customers who will be reassured to know that their personal data is adequately protected. At the end of the day, nobody would like to learn that their personal data had been compromised. What, therefore, are the GDPR best practices that every business should adopt before May 25th, 2018? Inform yourself about the GDPR The first step to take is to ensure that you are fully informed as to what changes the GDPR will make. This allows your colleagues and yourself, to grasp the new policies that you are obliged to respect. A key goal of the...

Read More
FAQs concerning the GDPR
Jan11

FAQs concerning the GDPR

The General Data Protection Regulation, or GDPR, becomes law on the 25th of May 2018. Many businesses are asking the same questions about it. The principal goal of the GDPR is to provide a degree of uniformity to the manner in which personal data is dealt with throughout the European Union. The new Regulation also increases the rights of citizens of EU member states, with respect to organisations or companies processing their personal data. Nonetheless, many business owners appear to be somewhat confused as to what precisely is contained in the GDPR. They have found it a challenge to make sense of the large quantities of information and rumours that have crossed their paths over the last few months. Below is a list of some of the more frequently asked questions, with answers, that many businesses have been asking about the GDPR. Is the GDPR applicable solely to European companies and organisations? As the GDPR is a regulation of the European Union, it is understandable that one of the more common misconceptions about it is that only those organisations which are based in EU member...

Read More
“To-do List” for GDPR Compliance
Jan10

“To-do List” for GDPR Compliance

The goal of this short piece is to help organizations, companies or businesses that collect, process or store personal data of “data subjects” located in the EU start a GDPR To Do List. This list should permit such entities to take initial steps in order to comply with GDPR. Please note that this is not intended to be a comprehensive guide, more a few “rules of thumb” to take into account in order to get started. Preparing a GDPR To Do List Although the impact of the General Data Protection Regulation (GDPR) has been largely known since it was agreed in 2016, it seems that few organizations have prepared a GDPR To Do List. According to ‘Spice Works’, just one year before the implementation date of the 25th May 2018, only 2% of Information Technology professionals surveyed throughout the European Union believed that their company or business was properly prepared for GDPR. A similar figure applied to IT professionals in the USA, and the figure for their UK counterparts was only marginally higher, at 5%. Simply put, this statistic is a cause for concern given...

Read More
Insurance Industry compliance with GDPR
Jan10

Insurance Industry compliance with GDPR

The General Data Protection Regulation (GDPR) is due to come into force on the 25th of May 2018. This short article is focused on the GDPR in the particular context of the Insurance Industry. Specialised consideration of the new Regulation is essential given that non-compliance with GDPR rules may lead to the imposition of heavy fines among a number of other sanctions. It is essential to note is that the GDPR will apply to insurance companies all around the world and not only those which are based in member states of the European Union. Should your company, in the course of its operations, process the personal data of European citizens then it must be GDPR compliant. What this means is that you must ensure that all of your preparations have been completed prior to the activation of the GDPR. Data processors’ responsibilities under GDPR In the context of GDPR and the insurance industry, one of the most significant developments is that the burden of ensuring compliance will now be divided between data controllers and data processors. Until now, the responsibility of ensuring...

Read More
American Companies and the GDPR
Jan09

American Companies and the GDPR

The impact of the General Data Protection Regulation (GDPR) for American companies which gather, maintain or process personal data of citizens of the European Union (EU) will be considerable – and compliance with it is obligatory. The new EU Regulation will come into force on May 25th, 2018. The GDPR impacts the manner in which the personal data of the citizens of EU member states may be collected, used and held. It also introduces the right for individuals to have much more influence in what data about them is gathered, together with a right to know for what purposes that data is being used, and for what length of time it will be used for. The enactment of the GDPR will instigate sweeping changes to business practices for those companies which have not already implemented a policy that reflects a similar level of data privacy. Fields as wide-ranging as finance to human resources, advertising, sales and customer services will undoubtedly be impacted by the changes. Firms which work with channel partners must also ensure that their partners’ activities comply with the GDPR. Do...

Read More
Understanding GDPR Compliance
Jan09

Understanding GDPR Compliance

What does ‘GDPR Compliance’ mean? GDPR compliance is due to become obligatory for every business or organisation, or company which gathers, stores or utilises the personal data of citizens throughout the European Union in May 2018. The application of the General Data Protection Regulation (GDPR) together with the need for GDPR compliance that will follow, will significantly impact the manner in which data protection is dealt with throughout Europe. In order to respond to the question “What does ‘GDPR Compliance’ mean?”, it is necessary to explain, to those who may be unfamiliar with the terms, what the difference between a European Union Directive and a European Union Regulation is; an EU Directive is a general set of guidelines on which EU member states may base their own domestic laws around (with some flexibility as to the precise terms), whereas an EU Regulation is legislation that applies throughout the entire European Union, meaning that all member nations are obliged to comply with Regulations and they are enforceable by law. The General Data...

Read More
Small Businesses and GDPR Compliance
Jan08

Small Businesses and GDPR Compliance

What will GDPR change for small businesses? Small businesses have experienced some confusion since the announcement of the General Data Protection Regulation (GDPR). A large number of small business owners appear to have assumed that the GDPR is not applicable to them. Unfortunately, they may well be in for quite a shock on the 25th of May 2018 when the new Regulation comes into force. Although it is a fact that the GDPR’s Article 30 states that small businesses are not bound by it, this will not always be the case. Small business owners should be alert to the introduction of the GDPR, and inform themselves as to what significance it may have for their business, otherwise they could face sanctions they had not anticipated. Sanctions under the GDPR include large fines, which any business would prefer to avoid. What impact might the GDPR have on a small business? Under the terms of the GDPR, a small business appears to be defined as one which employs less than two hundred and fifty people. Any business employing more than 250 people must comply with the GDPR, which implies the...

Read More
When are GDPR Personal Data Breach Notifications Required?
Oct25

When are GDPR Personal Data Breach Notifications Required?

GDPR personal data breach notifications must be issued to the competent supervisory authority in the event of a breach of personal data unless the breach is unlikely to result in a risk of adverse effects on data subjects. Data breach notifications must be issued to data subjects when there is a high risk to the rights and freedoms of those individuals as a result of the breach. Requirements for GDPR Personal Data Breach Notifications On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) becomes enforceable. While there are many requirements to ensure compliance with GDPR, one of those is the mandatory reporting of breaches of personal data. While security breaches may need to be reported to other entities under state or federal laws, GDPR only requires notifications to be issued when the personal data of EU citizens is breached. GDPR personal data breach notifications are required for “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise...

Read More
GDPR Requirements for US Companies
Oct18

GDPR Requirements for US Companies

A new European data privacy and security law – The General Data Protection Regulation (GDPR) – has been introduced, and while this law applies in Europe, there are also GDPR requirements for US companies, including for organizations in the healthcare sector. The new law, which has an effective date of May 25, 2018, requires a swathe of protections to be introduced to keep data of EU consumers secure and to protect their privacy. Healthcare organizations are in a good position to comply with GDPR regulations since they are already required to comply with the HIPAA Privacy, Security and Breach Notification Rules. However, being HIPAA compliant is no guarantee that healthcare organizations will not fall afoul of GDPR.  GDPR requirements for US companies cover aspects of privacy and security not required for HIPAA compliance. Why Does GDPR Apply to US Companies? GDPR is concerned with protecting the privacy of EU citizens and securing their data, so why are there GDPR requirements for US companies? The reason for GDPR is to give data subjects greater control over the...

Read More