Dedicated to providing the latest
HIPAA compliance news

Do You Have a GDPR Data Retention Policy?
May17

Do You Have a GDPR Data Retention Policy?

All companies that collect or process the personal information of EU residents must ensure they have a compliant GDPR data retention policy, but what should that entail? GDPR Data Retention Rules Article 5 explains that when personal data are collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Those purposes must be clearly explained at the time of collection. Under GDPR, organizations are required to adhere to the minimization principle, which applies to the amount of personal data stored and the length of time the information is retained. When data need to be retained, appropriate security controls should be applied to prevent the unauthorized accessing, use, or processing of data and measures should be implemented to prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data retained remain accurate and are kept up to date and inaccurate data are removed. GDPR data retention is covered in Article 5(e), which explains that...

Read More
GDPR Exemptions: Who is Exempt from GDPR Requirements?
May11

GDPR Exemptions: Who is Exempt from GDPR Requirements?

The General Data Protection Regulation comes into force on May 25, 2018 and companies that collect or process the personal data of EU residents are required to comply with the GDPR, although there are limited GDPR exemptions and derogations. Who Must Comply with the Requirements of GDPR GDPR is concerned with ensuring the privacy and data rights of EU residents are protected. GDPR may be an EU law, but GDPR applies to all companies. It does not matter where a company is located, whether it is based in the EU or in a non-EU country, compliance with GDPR is mandatory. There are many misconceptions about GDPR exemptions, such as whether GDPR applies to small businesses, individuals, or companies whose websites are accessible in the EU. Apart from limited GDPR exemptions, all companies – regardless of their size – are required to comply with GDPR if they offer free or paid goods or services to EU residents or monitor their behavior. Who is Exempt from GDPR? There are limited GDPR exemptions related to the processing of personal data as detailed below: When data are processed during the...

Read More
Does GDPR Apply to EU Citizens Living in the US?
May11

Does GDPR Apply to EU Citizens Living in the US?

The term ‘European Union citizen’ is often used when explaining General Data Protection Regulation (GDPR) requirements, but what happens when an EU citizen leaves the EU? Does GDPR apply to EU citizens living in the US or in other non-EU countries? Does GDPR apply when EU citizens vacation in non-EU countries? What happens when Americans visit an EU country? They are clearly not EU citizens but are temporarily located in the EU. How does GDPR apply to US citizens living in an EU country or visiting on vacation or for business. Does GDPR Apply to EU Citizens Living in the US? Use of the phrase European Union citizen is not helpful when dealing with GDPR because GDPR is not concerned with citizenship, instead it is concerned with where a person is located. The term EU resident is more useful, or a person located in the EU. GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer...

Read More
The Cost of GDPR Compliance
May04

The Cost of GDPR Compliance

As the introduction of the General Data Protection Regulation on May 25, 2018, draws nearer, many are realizing the cost of bringing their organizations into compliance with the GDPR. A recent study by a legal tech company, Axiom, noted that Fortune 500 and FTSE 100 companies may need to spend an estimated £800 million to review contracts and verify that they are in compliance with the GDPR. While not everyone will need to spend as much, there will still be money that needs to be found to assess and implement the necessary elements to continue operating without violating the GDPR. Two of the major areas that are likely to dictate the overall cost to organizations related to the GDPR are their current processes and the nature and scale of the data they manage. How Will GDPR Compliance Cost Money? Arguably, the most significant cost related to GDPR compliance will be the cost of auditing and classifying the data that is held. This is an incredibly important step to take, as it will lead to the identification of the data types being stored or processed; it should identify the risks...

Read More
GDPR High Risk Data Processing
May03

GDPR High Risk Data Processing

The imminent introduction of the Genera Data Protection Regulation (GDPR) on May 25, 2018, has many questioning what types of data or data processing are considered high risk or very high risk under the new law. As one of the main goals of the GDPR is to legislate data protection procedures concerning individuals within the European Union (EU), the concept of levels of risk may be of great importance to ensuring compliance. The GDPR should harmonize how the data of those located within the EU is collected, stored, and processed. These new rules will not just concern organizations located in EU member states, but also organizations located anywhere across the globe that manage data collected within the EU. To ensure compliance, groups will need to review their procedures and modify them to meet the criteria of the regulations. A first step for many will be a Data Protection Impact Assessment to audit and assess the personal data that they currently possess. Indeed, this is a required measure under the GDPR which states “the likelihood and severity of the risk to the rights and...

Read More
A Comparison of the Privacy Shield and the GDPR
May02

A Comparison of the Privacy Shield and the GDPR

With the introduction of the General Data Protection Regulation (GDPR) fast approaching, many are wondering how it compares to or will integrate with other privacy and security laws and agreements, such as the Privacy Shield. As the GDPR will come into effect on May 25, 2018, it is important to clear up any confusion as quickly as possible. A central goal of the GDPR is to ensure that the personal data of people in the European Union (EU) will be protected, and that any storage or processing of this data will only be done in countries that have very strict legislation governing data protection. Currently, the legal safeguards and frameworks that exist within the United States (US) do not reach the standards required by the EU and the GDPR. This would mean that businesses and organizations based in the US would not be permitted to process data from EU countries. The Privacy Shield agreement was made to allow individual US based organizations to prove that their data protection procedures are at a high enough level to allow them to process data from EU countries. How Does the Privacy...

Read More
GDPR Definition of Personal Data
May01

GDPR Definition of Personal Data

The General Data Protection Regulation (GDPR) will govern how personal data collected within the European Union (EU) must be treated, but what is the GDPR definition of personal data? This question has been causing confusion for certain organizations but they still must have their systems in place to correctly process and collect data before the law come into force on May 25, 2018. The term “personal data” is defined in the text of the GDPR’s Article 4, Definitions, but the definition which is given is very broad and intentionally vague. This means that groups must be careful with almost any data that they collect or process. There may even be differences in what is counted as personal data based on the activities, data collected, or processing requirements of the data controller or data processor – it is possible that context will play a role in what is defined as personal data. The definition stated in Article 4 is that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be...

Read More
Does GDPR Apply to Employees?
Apr30

Does GDPR Apply to Employees?

The introduction of the General Data Protection Regulations (GDPR) is just around the corner and many organizations are wondering whether the GDPR also applies to data concerning employees, as well as to data related to clients or customers. The short answer to this is yes, employee data is subject to the same protections as client and customer data under the GDPR. When groups design their systems to be GDPR compliant, they must not forget to review and modify the systems that deal with internal staff information. This will also mean that staff members will have similar rights to clients and customers in relation to requesting copies of their stored data and other areas. Organizations will face penalties for mismanagement or misconduct of employee data the same as they would for mishandling or violating the rules for data concerning individuals external to the group. How Should Human Resources Prepare? As the majority of data relating to employees will be held and processed by the Human Resources (HR) department, it will be crucial for HR staff members to gain a strong working...

Read More
GDPR and Cold Emailing
Apr27

GDPR and Cold Emailing

As mentioned above, cold emailing is not completely banned or prohibited by the GDPR but it has placed restrictions on how cold emailing can be used. Unrequested marketing materials cannot just be sent out to random email addresses. Doing so could even result in penalties against the organization. Audience targeting for cold emailing will become much more important under the GDPR. Some strong indication that the recipients will be interested in the subject matter must be able to be demonstrated by the sender. Something such as their job title or business area may be enough to defend contacting the target, but more information should be included when available. Obviously, any information used to support contacting an individual must be obtained legally and transparently. Other criteria that must be met include: Emails should have their subject matter and topics plainly visible The email should be personalized to the recipient. This is another area where target and subject relevance is crucial An unsubscribe option must exist to enable recipients to opt out from receiving future...

Read More
GDPR Consent for Existing Customers
Apr26

GDPR Consent for Existing Customers

With less than a month to go before the introduction of the General Data Protection Regulation (GDPR), many companies are wondering whether they need to request consent from their existing customers in order to process or continue processing their data. There are a number of conditions that must be met for consent to be valid under the GDPR. These include consent having been given freely by an informed individual for a specified purpose. On a superficial level, these are the same as the criteria which must be followed under the existing law. As a result, many organizations may feel that their user and customer consent does not need to be reviewed. However, the GDPR makes some amendments to how consent can be acquired, given, or implied. It is important that groups make note of these additional requirements when assessing the consent of their existing customers and when requesting consent from new and future customers. Below, we review some of the more important aspects that must be respected. If these have not been applied, existing consent may not be valid and the company may be...

Read More
Comparison of European and American Privacy Law
Apr25

Comparison of European and American Privacy Law

With the introduction of the General Data Protection Regulation (GDPR) just around the corner on May 25, 2018, many people are wondering how the new European law will compare to American privacy laws. An important point to note from the outset is that the GDPR will not just apply to organizations based within the EU, but to any organization which collects or processes the data of individuals based in the EU. The chief determining factor of GDPR applicability is the location of the data subject, not the location of the company. To further clarify this point, many organizations believe that the GDPR only applies to EU citizens. This is not the case. If the data has been collected in the EU, even if the data relates to a non-EU citizen, the information is subject to the protections of the GDPR and the controller and processing entities must treat it in compliance with these rules. Similarly, should a citizen of an EU country have their data collected and processed outside of the EU, their data is not subject to the GDPR protections as it was not collected within the EU. As well as...

Read More
GDPR Exemptions
Apr24

GDPR Exemptions

The soon-to-be-introduced General Data Protection Regulations (GDPR) will govern how organizations store and process personal data relating to people living in the European Union (EU), but some exemptions can be made under the new legislation. Coming into effect on May 25, 2018, there is still a certain amount of confusion relating to how the GDPR will work and how it will interact with member states’ laws. Below, we will try to clear up some of this confusion. GDPR vs National Law A chief aim of the GDPR is to harmonize the rules concerning data processing across the EU. Even with this as a goal, there will still be a certain amount of leeway and discretion permitted for each individual EU member state to legislate some aspects of how data management is policed. GDPR Article 23, Restrictions, presents a set of acceptable reasons for which a member state may introduce a law restricting some of the rights otherwise granted in the other articles of the GDPR. These reasons include: security and defense prevention, detection, investigation, or prosecution of crime or breaches of ethics...

Read More
GDPR Data Breach Notification Rules
Apr23

GDPR Data Breach Notification Rules

The General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, makes a number of changes to how organizations can use personal data, but it has also changed the rules of how data breach notifications should be issued. Both data controllers and data processors are obligated to put sufficient apparatus and methods to safeguard the information they hold and process in place. While exact means are not specified, it is stated in Article 32, Security of processing, and several other times in the legislation, that the “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” should be implemented. A non-exhaustive list of examples of security measures that may be considered is also given. The list includes pseudonymization and encryption, as well as procedures to ensure the confidentiality of data, to quickly restore access to data following incidents, and to regularly test the security measures. The security system and procedures must be documented so that compliance with the regulations can be proven. If an...

Read More
What is the Difference Between a Controller and a Processor in GDPR?
Apr20

What is the Difference Between a Controller and a Processor in GDPR?

The General Data Protection Regulation (GDPR) makes frequent reference to data controllers and data processors, but what is the difference between a controller and a processor under the GDPR? When the GDPR comes into effect on May 25, 2018, both data controllers and data processors will have specific duties which they must fulfill. Under the existing regulations, data processors do not have statutory responsibilities. This will change with the GDPR’s introduction. As a result, organizations will need to ensure that they are aware of whether they will be classified as data controllers or data processors. If they are unsure, they run the risk of failing to comply with the strict standards and criteria expected of them under the new law. They should also know where they stand in order to implement the necessary data protections and procedures, if applicable. Data Controllers The GDPR has kept the categorization of data controllers and data processors the same as it appears in the existing legislation. A data controller decides, either alone or in concert with other groups, why data is...

Read More
Overview of GDPR Article 35
Apr20

Overview of GDPR Article 35

The General Data Protection Regulation (GDPR) is a highly complex piece of legislation, but entities should pay particular attention to ensure they have a clear overview of Article 35 and understand how their activities may create risks for individuals, as well as for themselves. The GDPR is a wide-ranging European privacy law, governing and protecting the data of people living in the EU. It will come into effect on May 25, 2018. Article 35, Data protection impact assessment, is the first Article in Section 3, Data protection impact assessment and prior consultation. As certain data processing activities use novel techniques or include the processing of more sensitive data, they may present a high risk to data subjects – the people the data refers to. Article 35 describes when and how a data controller should carry out a data protection impact assessment in order to identify and minimize or address these risks. What Type of Data Requires an Assessment? The processing of certain data types will always require a data protection impact assessment prior to any processing being...

Read More
GDPR Password Requirements
Apr18

GDPR Password Requirements

Although the text of the General Data Protection Regulation frequently refers to “appropriate safeguards”, “appropriate security”, and “appropriate measures”, there is no specific mention of GDPR password requirements. However, an appropriate GDPR password policy should be part of a Data Protection Impact Assessment. The primary objectives of the European General Data Protection Regulation (GDPR) are to update data protection laws across the European Economic Area (EEA) and to standardize how EU member states apply the laws by creating rules relating to “the protection of natural persons with regard to the processing of personal data”. GDPR also creates rules for the free movement of personal data within the EEA, and restricts the migration of data outside of approved jurisdictions. In order to achieve these objectives, the Regulation consists of 99 Articles and 173 Recitals. It is significant that after the first four Articles (which relate to the objectives and definitions), the first Article of any real substance stipulates that personal data shall be “processed in a manner that...

Read More
What Countries are Affected by the GDPR?
Apr17

What Countries are Affected by the GDPR?

What Countries are affected by the GDPR is a common GDPR question. The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation that was accepted on April 27, 2016. The GDPR will come into force on May 25, 2018. While it is a piece of  EU legislation, institutions located outside of the EU must be aware of its implications and be on their guard to avoid violating it. The physical location of the organization does not exempt or shield it from facing the consequences of non-compliance. Institutions with offices in an EU country or that collect, process or store the personal data of anyone located within an EU country are required to comply with the GDPR. As businesses and other organizations often have an international focus and reach, it is quite probable your entity will be required to comply with the GDPR – especially if it is an entity that operates or offers services via the Internet. Main Countries Affected by the GDPR As mentioned above, the physical location of the institution, organization or business is not as important in determining the need to comply...

Read More
Legal Bases for Processing Personal Data Under GDPR
Apr14

Legal Bases for Processing Personal Data Under GDPR

We are mere weeks away from the introduction of the General Data Protection Regulation (GDPR) and a number of groups are still confused as to the acceptable legal bases for processing personal data under GDPR. From May 25, 2018, onward, all personal data relating to individuals living in the European Union (EU) will be protected by the new law. Entities involved in processing the personal data of these individuals will be governed by the GDPR. Even groups located outside of the EU must comply with the regulation if they process the data of people based inside of the EU. As part of the GDPR, personal data cannot be processed for any goal that an organization may just be curious about. As noted above, the acceptable reasons are causing some confusion. Article 6 of the Regulations, Lawfullness of processing, states that “[data] processing shall be lawful only if” the processing is being conducted for one of six legitimate reasons. These reasons include: 1. The person has provided active consent for their data to be processed for one or more specific purposes. There is no blanket...

Read More
Personally Identifiable Data under the GDPR
Apr11

Personally Identifiable Data under the GDPR

With the introduction of the General Data Protection Regulation (GDPR) only weeks away, all groups involved in processing the personal data of individuals based in the EU should be aware of their duties under the new law and should be aware of their obligations when processing Personally Identifiable Data under the GDPR. What is Personally Identifiable Data? Personally Identifiable Data is a term used to refer to any piece of information which, either alone or when supported by additional information, allows for the identification of a living person. In the past this was mostly used to designate home addresses or telephone numbers, however this has evolved with the greater presence of technology and mobile devices in everyday life. Recently, the term Personally Identifiable Data can be used when talking about IP addresses, email addresses, social media identifiers, or online images. These elements are not always classified as Personally Identifiable Data, but they may be, depending on the context: a username, or an IP address may be enough to directly identify someone; in contrast,...

Read More
GDPR Call Recording Regulations
Apr10

GDPR Call Recording Regulations

The General Data Protection Regulation (GDPR) call recording regulations will come into force on May 25, 2018. How will the GDPR affect how entities collect, process and store phone calls and phone information? In this article, we will examine the potential impact the GDPR may have on recording phone calls and some steps entities can take to comply with the regulations. Anyone who has ever called a business or customer service line will be familiar with the automatic notice informing them that their call is likely to be recorded. Call recording is a common practice as it allows companies and organizations to monitor their customer care employees, have real world examples for training purposes, and have a definitive reference in case of a customer complaint or any other contentious issue. Given the many important functions that are served by call recording and the enduring preference of many people to call companies for assistance or other reasons instead of using online chats or tools, call recording is likely to be an option that organizations will continue to use for the...

Read More
GDPR Best Practices
Apr10

GDPR Best Practices

With the May 25, 2018, introduction of the General Data Protection Regulation (GDPR) fast approaching, enterprises and organizations must ensure they are up-to-date with and understand the emerging GDPR compliance best practices. As the penalties for GDPR violations are quite severe, it is in the interest of all concerned groups to put these best practices into place. Aside from avoiding sanctions, following GDPR rules can boost a company’s image among consumers. Robust protections and confidence in data security may lead people to more freely share their data with organizations, without them worrying as much about the risk of information breaches. Having said all this, we now present some GDPR best practices which your group may consider implementing. What is the Purpose of the GDPR? A simple but often overlooked first step is taking the time to understand what the purpose of the GDPR is. People follow rules more readily when they know why they are being put in place. A central goal of the GDPR is to allow individuals based in the EU to have more say in how their information is...

Read More
GDPR Documentation Requirements
Apr08

GDPR Documentation Requirements

The new European Union (EU) General Data Protection Regulation (GDPR) will take effect from May 25, 2018 and has specific GDPR documentation requirements. When this happens, institutions and entities that process or store personal data relating to EU residents will be obliged to follow the standards set out in this new law. One particular area to note is the GDPR documentation requirements, outlined in Article 30: Records of processing activities. In their capacity as data controller, groups will be required to record how they process data and other aspects of their data processing activities. Failure to do so could result in hefty fines or other serious penalties. Article 30 of the law lists a number of records that must be maintained by the data controller or the representative acting on their behalf. The list includes basic information; such as the name and address of the data controller, their Data Protection Officer (if relevant), and their representative; as well as the purpose of the processing. It also includes some more detailed information relating to transfers of data to...

Read More
Does GDPR apply to Canada?
Mar19

Does GDPR apply to Canada?

Many Canadian companies are investigating the question: does GDPR apply to Canada and Canadian companies? While there are existing laws in place to facilitate the flow and exchange of information, including personal data, between groups based within the European Union (EU) and groups based in Canada, the introduction of the General Data Protection Regulation (GDPR) on May 25, 2018, will quite probably impact and change the current situation. The Personal Information Protection and Electronic Documents Act, known as PIPEDA, is the name of the law that is currently in effect. The EU does not have an overly favorable view on PIPEDA’s ability to hold Canadian entities to the standards necessary to comply with the GDPR. In any case, no matter where they are based – be it Canada, Colombia, China, or Cyprus – entities that process or store personal data relating to people living within the EU will need to follow the rules laid down in the GDPR. What Action do Canadian  Companies Need to Take? Companies based in Canada will need to review and take stock of the information they have...

Read More
Overview of the GDPR
Jan14

Overview of the GDPR

The content of the General Data Protection Regulation, or GDPR for short, was confirmed as long ago as 2015. It is due to become law on the 25th of May 2018, from which date the details outlined in this GDPR overview become applicable. From then on, a business or an organisation which falls under the remit of the GDPR, and yet fails to comply with it, may face the imposition of significant fines or other sanctions. The magnitude of any fine under the GDPR will be a decision for the appropriate Data Protection Authority (DPA). While the different member states of the EU will have their own DPAs, it is anticipated that there will be ongoing discussion between the various DPAs, so as to make sure that there will be some degree of consistency throughout the European Union. Consistency was one of the main motivations for the introduction of the GDPR. Another key reason is to offer EU citizens greater control over how their personal data is used. What are the main consequences of the GDPR for companies and organisations? As noted above, failing to comply with the requirements of the GDPR...

Read More
Upgrading Software to comply with GDPR
Jan13

Upgrading Software to comply with GDPR

The General Data Protection Regulation (GDPR) comes into force on the 25th of May 2018 and any business that aspires to be GDPR compliant needs to be fully aware of the software upgrades that its IT systems will need to ensure that compliance. It may be the case that your business requires an upgrade of the software that it currently uses, or an alternative software solution might be required. What is the impact of GDPR on your business? To begin with, we should take a look at what the General Data Protection Regulation actually is. The intention of the GDPR is to provide some uniformity in the manner in which personal data is processed in European Union member states. However, the GDPR does not only affect Europe. It also introduces new and extended rights for all data subjects who are citizens of EU countries. That is to say that any organisation which processes the personal data of a European citizen must comply with the GDPR, no matter which continent it is based in. If you are not overly familiar with the terms of the GDPR, it might be helpful to consult the guidance of the...

Read More
Best Practice Under the General Data Protection Act
Jan11

Best Practice Under the General Data Protection Act

On the 25th of May 2018, the EU’s General Data Protection Regulation (GDPR) will become law. It is therefore crucial for organisations and businesses to be fully informed as to what are GDPR best practices. Failing to put these GDPR best practices into action may result in a business being ruled to be non-compliant with the new Regulation, the consequences of which being weighty fines or sanctions. Clearly, no company will want to risk that. Obviously, a GDPR compliant business will also have the additional benefit of maintaining the trust of customers who will be reassured to know that their personal data is adequately protected. At the end of the day, nobody would like to learn that their personal data had been compromised. What, therefore, are the GDPR best practices that every business should adopt before May 25th, 2018? Inform yourself about the GDPR The first step to take is to ensure that you are fully informed as to what changes the GDPR will make. This allows your colleagues and yourself, to grasp the new policies that you are obliged to respect. A key goal of the...

Read More
FAQs concerning the GDPR
Jan11

FAQs concerning the GDPR

The General Data Protection Regulation, or GDPR, becomes law on the 25th of May 2018. Many businesses are asking the same questions about it. The principal goal of the GDPR is to provide a degree of uniformity to the manner in which personal data is dealt with throughout the European Union. The new Regulation also increases the rights of citizens of EU member states, with respect to organisations or companies processing their personal data. Nonetheless, many business owners appear to be somewhat confused as to what precisely is contained in the GDPR. They have found it a challenge to make sense of the large quantities of information and rumours that have crossed their paths over the last few months. Below is a list of some of the more frequently asked questions, with answers, that many businesses have been asking about the GDPR. Is the GDPR applicable solely to European companies and organisations? As the GDPR is a regulation of the European Union, it is understandable that one of the more common misconceptions about it is that only those organisations which are based in EU member...

Read More
“To-do List” for GDPR Compliance
Jan10

“To-do List” for GDPR Compliance

The goal of this short piece is to help organizations, companies or businesses that collect, process or store personal data of “data subjects” located in the EU start a GDPR To Do List. This list should permit such entities to take initial steps in order to comply with GDPR. Please note that this is not intended to be a comprehensive guide, more a few “rules of thumb” to take into account in order to get started. Preparing a GDPR To Do List Although the impact of the General Data Protection Regulation (GDPR) has been largely known since it was agreed in 2016, it seems that few organizations have prepared a GDPR To Do List. According to ‘Spice Works’, just one year before the implementation date of the 25th May 2018, only 2% of Information Technology professionals surveyed throughout the European Union believed that their company or business was properly prepared for GDPR. A similar figure applied to IT professionals in the USA, and the figure for their UK counterparts was only marginally higher, at 5%. Simply put, this statistic is a cause for concern given...

Read More
Insurance Industry compliance with GDPR
Jan10

Insurance Industry compliance with GDPR

The General Data Protection Regulation (GDPR) is due to come into force on the 25th of May 2018. This short article is focused on the GDPR in the particular context of the Insurance Industry. Specialised consideration of the new Regulation is essential given that non-compliance with GDPR rules may lead to the imposition of heavy fines among a number of other sanctions. It is essential to note is that the GDPR will apply to insurance companies all around the world and not only those which are based in member states of the European Union. Should your company, in the course of its operations, process the personal data of European citizens then it must be GDPR compliant. What this means is that you must ensure that all of your preparations have been completed prior to the activation of the GDPR. Data processors’ responsibilities under GDPR In the context of GDPR and the insurance industry, one of the most significant developments is that the burden of ensuring compliance will now be divided between data controllers and data processors. Until now, the responsibility of ensuring...

Read More
American Companies and the GDPR
Jan09

American Companies and the GDPR

The impact of the General Data Protection Regulation (GDPR) for American companies which gather, maintain or process personal data of citizens of the European Union (EU) will be considerable – and compliance with it is obligatory. The new EU Regulation will come into force on May 25th, 2018. The GDPR impacts the manner in which the personal data of the citizens of EU member states may be collected, used and held. It also introduces the right for individuals to have much more influence in what data about them is gathered, together with a right to know for what purposes that data is being used, and for what length of time it will be used for. The enactment of the GDPR will instigate sweeping changes to business practices for those companies which have not already implemented a policy that reflects a similar level of data privacy. Fields as wide-ranging as finance to human resources, advertising, sales and customer services will undoubtedly be impacted by the changes. Firms which work with channel partners must also ensure that their partners’ activities comply with the GDPR. Do...

Read More
Understanding GDPR Compliance
Jan09

Understanding GDPR Compliance

What does ‘GDPR Compliance’ mean? GDPR compliance is due to become obligatory for every business or organisation, or company which gathers, stores or utilises the personal data of citizens throughout the European Union in May 2018. The application of the General Data Protection Regulation (GDPR) together with the need for GDPR compliance that will follow, will significantly impact the manner in which data protection is dealt with throughout Europe. In order to respond to the question “What does ‘GDPR Compliance’ mean?”, it is necessary to explain, to those who may be unfamiliar with the terms, what the difference between a European Union Directive and a European Union Regulation is; an EU Directive is a general set of guidelines on which EU member states may base their own domestic laws around (with some flexibility as to the precise terms), whereas an EU Regulation is legislation that applies throughout the entire European Union, meaning that all member nations are obliged to comply with Regulations and they are enforceable by law. The General Data...

Read More
Small Businesses and GDPR Compliance
Jan08

Small Businesses and GDPR Compliance

What will GDPR change for small businesses? Small businesses have experienced some confusion since the announcement of the General Data Protection Regulation (GDPR). A large number of small business owners appear to have assumed that the GDPR is not applicable to them. Unfortunately, they may well be in for quite a shock on the 25th of May 2018 when the new Regulation comes into force. Although it is a fact that the GDPR’s Article 30 states that small businesses are not bound by it, this will not always be the case. Small business owners should be alert to the introduction of the GDPR, and inform themselves as to what significance it may have for their business, otherwise they could face sanctions they had not anticipated. Sanctions under the GDPR include large fines, which any business would prefer to avoid. What impact might the GDPR have on a small business? Under the terms of the GDPR, a small business appears to be defined as one which employs less than two hundred and fifty people. Any business employing more than 250 people must comply with the GDPR, which implies the...

Read More
When are GDPR Personal Data Breach Notifications Required?
Oct25

When are GDPR Personal Data Breach Notifications Required?

GDPR personal data breach notifications must be issued to the competent supervisory authority in the event of a breach of personal data unless the breach is unlikely to result in a risk of adverse effects on data subjects. Data breach notifications must be issued to data subjects when there is a high risk to the rights and freedoms of those individuals as a result of the breach. Requirements for GDPR Personal Data Breach Notifications On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) becomes enforceable. While there are many requirements to ensure compliance with GDPR, one of those is the mandatory reporting of breaches of personal data. While security breaches may need to be reported to other entities under state or federal laws, GDPR only requires notifications to be issued when the personal data of EU citizens is breached. GDPR personal data breach notifications are required for “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise...

Read More
GDPR Requirements for US Companies
Oct18

GDPR Requirements for US Companies

A new European data privacy and security law – The General Data Protection Regulation (GDPR) – has been introduced, and while this law applies in Europe, there are also GDPR requirements for US companies, including for organizations in the healthcare sector. The new law, which has an effective date of May 25, 2018, requires a swathe of protections to be introduced to keep data of EU consumers secure and to protect their privacy. Healthcare organizations are in a good position to comply with GDPR regulations since they are already required to comply with the HIPAA Privacy, Security and Breach Notification Rules. However, being HIPAA compliant is no guarantee that healthcare organizations will not fall afoul of GDPR.  GDPR requirements for US companies cover aspects of privacy and security not required for HIPAA compliance. Why Does GDPR Apply to US Companies? GDPR is concerned with protecting the privacy of EU citizens and securing their data, so why are there GDPR requirements for US companies? The reason for GDPR is to give data subjects greater control over the...

Read More