Sweden Issues GDPR Fine to School for Unlawful Use of Facial Recognition Technology
Aug29

Sweden Issues GDPR Fine to School for Unlawful Use of Facial Recognition Technology

The Swedish Data Protection Authority (DPA) has issued its first ever financial penalty for a violation of the EU’s General Data Protection Regulation (GDPR). The 200,000 SEK fine (€19,000/$21,000) was issued to a high school in Skellefteå which conducted a pilot study that used facial recognition technology to monitor student attendance. Assisted by IT company Tieto, the school used CCTV cameras and facial recognition technology to monitor the attendance of 22 students at school. The trial ran for three weeks in late 2018. The aim of the trial was to determine whether facial recognition technology could be used in place of standard roll calls in classes. Under Swedish law, schools are required to conduct a roll call at the start of each lesson, which places a considerable administrative burden on teachers and reduces the time spent teaching students. According to Tieto, the school was losing 17,280 hours a year simply marking attendance. That equates to 10 full time jobs. The pilot was conducted with the best intentions but the DPA determined the school violated several articles...

Read More
Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine
Jul22

Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine

The GDPR data protection authority in the Netherlands –  Authoriteit Persoonsgegevens – has issued its first GDPR data breach fine. Haga Hospital in the Hague has been fined $460,000 ($516,000) for security failures that contributed to a privacy breach in 2018. The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours and the breach will be investigated. In this case, the breach involved a single patient’s records – a well-known Dutch person. Those records were viewed, without authorization, by several employees at the hospital. The Dutch News website named the patient as Samantha de Jong, also known as ‘Barbie’. The GDPR investigation revealed the hospital had poor internal security controls for patient records, had failed to implement two-factor authentication, and was not regularly reviewing...

Read More
ICO Proposes $123 Million GDPR Fine for Marriott
Jul12

ICO Proposes $123 Million GDPR Fine for Marriott

Just a few days after the UK’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183 million ($230 million) for its 383 million-record breach comes another financial penalty for GDPR violations. ICO has announced its intention to fine Marriott £99 million ($123 million) for its breach of around 339 million customer records, which was discovered in 2018. The ICO is the UK’s GDPR supervisory authority. When a data breach is experienced that results in the exposure of EU citizen’s data, the breach must be reported to ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated. ICO also investigates complaints about GDPR violations from consumers. After receiving Marriott’s breach report in September 2018, ICO launched an investigation. It is not reasonable to expect companies to be able to prevent all data breaches but, under GDPR, reasonable and appropriate security measures should be implemented to reduce the risk of a breach to a low and acceptable level. In Marriott’s case, the breach...

Read More
British Airways Faces £183 Million GDPR Fine for 2018 Data Breach
Jul09

British Airways Faces £183 Million GDPR Fine for 2018 Data Breach

The UK Information Commissioners Office (ICO), the GDPR supervisory authority, has issued the largest GDPR penalty to date to British Airways. British Airways can appeal, but as it stands the ICO will fine the airline £183.39 million ($228 million) for security failures that were exploited in a 2018 cyberattack on its website. The fine surpasses the previous record of £500,000 ($623,000) issued to Facebook over the Cambridge Analytica scandal. For British Airways however, its breach occurred after May 25, 2018 – The effective date of the EU’s General Data Protection Regulation. GDPR updated a previous EU directive and in addition to introducing a slew of new privacy and security regulations, the penalties for privacy and data security failures were substantially increased. The maximum penalty for a serious GDPR violation is now €20 million ($22.4 million) or 4% of global annual turnover, whichever is higher. The £183 million penalty corresponds to 1.5% of BA’s global annual turnover for 2017. The maximum penalty would have been close to £500 million if its holding company,...

Read More
AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology
Apr12

AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology

Amazon Web Services’ chief technology officer, Werner Vogels, has been dispelling security myths about cloud computing at the Dublin Tech Summit in Ireland this week. Concerns have been raised about the security of data stored in the cloud, especially following the discovery that 540 million Facebook records had been exposed on AWS: One of several high-profile data breaches that have involved AWS-stored data in the past 12 months. Fears About Compliance and the Cloud Companies required to comply with General Data Protection Regulation (GDPR) must ensure that the personal data of EU citizens is secured and kept private and confidential. Since GDPR came into effect on May 25, 2018, the potential penalties for data exposures have increased significantly. It is therefore understandable that companies are concerned about storing data in the cloud rather than on-premise infrastructure that they feel better able to secure. Germany’s federal commissioner, Ulrich Kelber, spoke before Vogels at the Tech Summit and voiced his concerns about American cloud storage providers, stating that they...

Read More
59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued
Feb08

59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued

A new report from DLA Piper indicates 59,430 data breaches have been reported to EU supervisory authorities since the GDPR compliance deadline of May 25, 2018. The majority of the data breaches have been reported in the Netherlands (15,400), Germany (12,600), and the United Kingdom (10,600). The Netherlands saw the highest number of breaches per capita, followed by Ireland, and Denmark. It is worth noting that many non-EU companies have registered bases in EU member states and any data breaches experienced by them count toward the total for the country where their European HQ is established. Many non-EU firms, including Google, Facebook, Twitter, and Microsoft, have chosen Ireland for their European base. Obtaining accurate numbers for data breach reports was a challenge. Official EU figures suggest that there had only been 41,502 data breaches reported between the compliance deadline and January 28, 2019; however, those figures do not include Norway, Iceland, and Lichtenstein, which are not members of the EU but are part of the European Economic Area (EEA). The official figures...

Read More
GDPR Incorporated into the HITRUST CSF
Jan29

GDPR Incorporated into the HITRUST CSF

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST CSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements. Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater. Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible. “As countries around the world continue to adopt and advance...

Read More
Google Hit With €50 Million GDPR Violation Penalty
Jan22

Google Hit With €50 Million GDPR Violation Penalty

Google has been hit with a €50 million Euro ($56.8 million) GDPR violation penalty, the largest GDPR violation penalty issued to date. The French GDPR supervisory authority, the National Data Protection Commission (CSIL), investigated suspected GDPR violations after receiving complaints from two privacy rights groups; La Quadrature du Net and noyb. The first of the complaints was filed on the GDPR compliance deadline, May 25, 2018. The complaints were related to how Google processes user data for the personalizing ads. It was argued that Google did not have a valid legal basis for processing user information and had not obtained clear consent to do so. While information about its data processing activities has been made available to users, the information is spread across several documents, so it is unclear to consumers how personal data is being processed. According to CSIL, a consumer would need to take five or six actions in order to find out essential information about Google’s processing activities related to personalized ads and, as such, users would not be able to understand...

Read More
Federal GDPR-Style Data Privacy Bill Introduced
Dec17

Federal GDPR-Style Data Privacy Bill Introduced

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act. The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm. The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions. As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data. The bill would also require companies...

Read More
GDPR Compliance Software
Dec15

GDPR Compliance Software

Complying with all of the requirements of the EU General Data Protection Regulation can be a complicated task, which is why many companies and organizations are choosing to use GDPR compliance software to help them achieve compliance and eliminate some of the administrative burden. The complexity of meeting all requirements of GDPR, and the potential penalties for compliance failures, makes a software solution an attractive option. Complying with the EU General Data Protection Regulation GDPR was introduced to improve privacy protections for EU citizens. The legislation requires EU citizens to be informed about the types of personal data collected by organizations, how that information is used, and affords them additional rights and gives them greater control over their personal information. GDPR gives consumers a right to access personal data collected, held, or processed, a right to correct information that is incorrect, and also gives them the right to be forgotten and have all personal data stored or used by a company/individual to be deleted on request. GDPR requires...

Read More
First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine
Dec07

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system. Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system. CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data. The failure to implement appropriate access controls is a violation of...

Read More
Data Breach Reports and Complaints Have Increased Significantly Post-GDPR
Sep26

Data Breach Reports and Complaints Have Increased Significantly Post-GDPR

The General Data Protection Regulation (GDPR) provided EU residents with new rights and freedoms and gave EU citizens greater control over the personal information that is collected, processed, and used by companies. One of the rights given to EU citizens is the ability to submit complaints to the data protection authority when they feel that their personal data is being misused or has not been protected. GDPR also requires companies to disclose certain data breaches within 72 hours of discovery. Since GDPR came into effect on May 25, 2018, there has been a considerable increase in the number of data breaches reported by companies in Europe. Data breach reports in the United Kingdom quadrupled in the first three months since GDPR came into effect and in Ireland data breach reports doubled. A study conducted by Kroll shows there was a 75% increase in data breaches reported to the Information Commissioner (ICO) – The supervisory authority in the United Kingdom – in the past year. The Kroll study showed the ICO had received more than 2,000 data breach reports in the past year that...

Read More
Steps to Take to Make a Website GDPR Compliant
Aug06

Steps to Take to Make a Website GDPR Compliant

If you have a website that can be accessed by EU residents it is likely that you will have make your website GDPR compliant. If you have yet to do so, you could potentially face a substantial fine as the General Data Protection Regulation compliance date was May 25, 2018. The main purpose of GDPR is to protect the rights and freedoms of EU residents and to give them more control over their personal data, no matter where personal data is collected or processed. Over the past two years, many businesses have been learning about how GDPR affects websites and websites owners have made changes to ensure their sites are compliant. However, some businesses are unsure how to make a website GDPR compliant and others have ignored GDPR requirements entirely. Site owners that fail to make a website GDPR compliant can face stiff financial penalties. The penalty for noncompliance with GDPR is up to €20 million or 4% of global annual turnover (whichever is greater) so noncompliance really isn’t an option. How to Make a Website GDPR Compliant One of the main requirements to make a website GDPR...

Read More
How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority?
Aug02

How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority?

Under GDPR, a Supervisory Authority is an independent public authority that is responsible for monitoring compliance with GDPR, helping organizations become compliant with GDPR, and enforcing compliance and conducting investigations. The supervisory authority is the entity that must be notified in the event of a breach of personal data of data subjects. The Lead Supervisory Authority is the main data protection regulator and the entity that has primary responsibility for dealing with cross-border data processing. The main purpose of having a lead supervisory authority is that there is just one point of contact, such as when a business soperates in multiple EU member states. It is a one-stop shop for all matters related to GDPR. For most companies, choosing a GDPR Lead Supervisory Authority is a straightforward decision. A company based in Paris, France would appoint the supervisory authority in France as the lead supervisory authority. A UK-based company would choose the Information Commissioner’s Office (ICO), which is the supervisory authority for the UK. For companies that...

Read More
GDPR Data Breach Reporting Requirements
Jul20

GDPR Data Breach Reporting Requirements

Healthcare organizations are required to report breaches of the personal data of GDPR data subjects, but what are the GDPR data breach reporting requirements? Breaches of the Personal Data of EU Residents Under GDPR, personal data is any information relating to an identified or identifiable data subject: Information that could, directly or indirectly, allow a person to be identified. In Article 4 of the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” A data breach could be unauthorized access to a system containing personal data, theft of a device containing electronic personal data, or loss of physical or electronic data. Data corruption is also considered a data breach as is any other incident that affects the availability of personal data, such as a ransomware attack. GDPR Data Breach Reporting Requirements Data controllers and data processors must have robust data breach detection,...

Read More
GDPR: What is the Role of the Data Protection Officer?
Jul13

GDPR: What is the Role of the Data Protection Officer?

Many businesses required to comply with GDPR must appoint a Data Protection Officer, but what is the role of the Data Protection Officer and what types of companies are required to appoint a DPO? The General Data Protection Regulation (GDPR) requires all companies that collect or process the personal data of EU residents to develop policies and procedures covering the collection, processing, and management of personal data of data subjects. GDPR also requires security controls to be implemented to ensure the confidentiality, integrity, and availability of personal data. The deadline for compliance with GDPR was May 25, 2018. One requirement of GDPR is the appointment of a Data Protection Officer whose main role is to oversee compliance. Does GDPR Require All Companies to Appoint a Data Protection Officer? Article 37 of the GDPR explains the requirement for designating a Data Protection Officer in an organization. Generally speaking, large companies – those that employ more than 250 people – are required to appoint a Data Protection Officer. Smaller companies, those with fewer...

Read More
How Does GDPR Apply to Medical Devices?
Jul05

How Does GDPR Apply to Medical Devices?

The European Union’s General Data Protection Regulation came into force on May 25, 2018 and applies to healthcare providers who collect or process the personal data of data subjects residing in the EU, but how does GDPR apply to medical devices? How Does GDPR Apply to Medical Devices? Medical devices can collect a range of personal data – data that are considered ‘high risk’ with respect to the rights and freedoms of data subjects. As such, there are many aspects of GDPR that apply to medical devices. Consent Must be Obtained Prior to medical devices being used, it is important for consent to collect and process data to be obtained from the data subject. Explicit consent must be obtained, which means the data subject must freely give their specific, informed consent through a clear affirmative action. Any consent form must be written in clear and plain language that can be easily understood and the data subject must be made aware of the data that will be collected, how they will be used. See Article 7 of the GDPR. Consent is especially important for ‘special category’ of personal...

Read More
California Passes GDPR-Style Data Privacy Law
Jul02

California Passes GDPR-Style Data Privacy Law

AB 375, the California Consumer Privacy Act of 2018, has been signed into law. The bill was signed by California governor Jerry Brown on Thursday after the state Senate and Assembly passed the bill unanimously. California already has some of the strictest privacy laws in the United States. Under existing legislation, companies that experience a breach of personal information must notify affected individuals if their computerized data is exposed or stolen. This law takes privacy protections much further and gives state residents several new GDPR-style privacy rights, including: The right to request information from businesses about the types of personal data that are collected and processed and the source of that information Be informed about the purpose for collecting, using, and selling personal data Categories of third parties with whom the information is shared The right to request a copy of all personal information collected by a business The right to have all personal information deleted on request The right to request personal information is not sold The right to initiate...

Read More
GDPR Right to Access Personal Data
Jun29

GDPR Right to Access Personal Data

Healthcare organizations that market their services to residents in the EU or provide medical services to EU residents that requires the collection of their personal information are required to comply with the EU General Data Protection Regulation (GDPR). One aspect of compliance that is of particular relevance to healthcare organizations is the GDPR right to access personal data. Any EU resident has the right to request access to all of their personal data and view any supplemental data attached to their file. Data subjects are more likely to exercise this right with healthcare organizations that other organizations that hold their data as it is especially important that this information is correct. They may also require the data to pass on to other healthcare organizations. The rights of data subjects with respect to subject access requests (SARs) are detailed in GDPR Article 15. The GDPR Right to Access Personal Data If a data subject chooses to exercise their GDPR right to access personal data, the request must be honored within 30 days. The data subject is permitted to obtain...

Read More
What are the GDPR Rules for Recording Calls?
Jun21

What are the GDPR Rules for Recording Calls?

Many companies record telephone calls for ‘quality and training purposes’ and to help resolve customer disputes, but since May 25, 2018 GDPR Rules for recording calls must be followed. GDPR Rules for Recording Calls Any company, regardless of its location, must comply with GDPR Rules for recording calls if the company has dealings with EU residents. Call recording can continue under GDPR, as recording telephone conversations is not prohibited, but there are now additional requirements to protect the rights and freedoms of data subjects under GDPR. As with the use of cookies on websites and other forms of data collection, it can only take place if the data subject gives their consent (GDPR Article 7). Previously, in order to comply with existing regulations, companies would advise people that the calls may be recorded for a particular purpose and consent was obtained when the customer continued with the telephone call. The customer’s silence or lack of action was taken to mean that consent was being provided. However, GDPR Rules for recording telephone calls require consent to be...

Read More
A Third of Healthcare Organizations Expected to Miss GDPR Deadline
Jun14

A Third of Healthcare Organizations Expected to Miss GDPR Deadline

Healthcare organizations that treat patients from the EU or target EU residents and collect their data are required to comply with the EU’s General Data Protection Regulation. The EU regulation came into force on May 25, 2018. Any healthcare organization that is required to comply with GDPR and fails to do so faces a substantial financial penalty for noncompliance. The fines for noncompliance with GDPR are far in excess of those for HIPAA violations. The maximum penalty for a HIPAA violation is $1.5 million per violation category, per year. The fine for noncompliance with GDPR is up to €20 million ($23 million) or 4% of global annual turnover, whichever is the greater. The final text of GDPR was adopted on April 14, 2016, giving all entities more than two years to implement the appropriate privacy and security controls and develop policies and procedures in line with GDPR. Even so, many organizations put GDPR compliance on the back burner until 2018 and have run out of time. Many organizations in the United States are still on the road to compliance even though the deadline has...

Read More
Rights of Data Subjects Under GDPR
Jun11

Rights of Data Subjects Under GDPR

What are the rights of data subjects under GDPR? Find out more about what GDPR means to data subjects, data controllers, and data processors. The EU’s General Data Protection Regulation (GDPR) came into force on May 25, 2018. The main purposes of the directive are to ensure data protection laws are standardized across all member states and to expand the rights of data subjects. Under GDPR, data subjects have greater control over who collects their data, how the information is used, and for how long. GDPR: Rights of Data Subjects The rights of data subjects under GDPR are detailed in Chapter 3 – Articles 12 to 23. There are eight fundamental rights under GDPR. 1.      Right to Access Personal Data Under GDPR, data subjects have the right to access the data collected on them by a data controller. The data controller must respond to that request within 30 days (Article 15). 2.      Right to Rectification Data subjects have the right to request modification of their data, including the correction or errors and the updating of incomplete information (Article 16). 3.      Right to...

Read More
GDPR Correction and Rectification Requirements
Jun06

GDPR Correction and Rectification Requirements

From May 25, 2018, GDPR correction and rectification requests must be honored. Data subjects – EU residents – have the right to access the personal data collected by data controllers and view any supplemental data attached to their files. If data subjects access their personal data and notice some information is incomplete or incorrect, they have the right to have that information corrected to ensure their data are accurate and complete. If any information in a personal data file is incorrect or out of date, the data subject can request the information be corrected, edited or removed. Requests can be made orally or in writing. When such a request to access personal data is received, or when a correction or rectification is requested, the data controller is required to respond as soon as possible but no later than 30 days after the request has been made. To ensure compliance with the GDPR correction and rectification requirements, businesses must have developed and implemented policies and procedures to allow them to respond in a timely manner. Those policies and procedures should...

Read More
What is GDPR Special Category Data?
May26

What is GDPR Special Category Data?

Under GDPR, companies have obligations regarding the personal data of data subjects, but there is also a separate category of data that is treated differently – GDPR special category data. What is GDPR special category data and how do the rules differ for processing that information. GDPR Special Category Data GDPR special category data is personal information of data subjects that is especially sensitive, the exposure of which could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination. GDPR special category data includes the following information: Race and ethnic origin Religious or philosophical beliefs Political opinions Trade union memberships Biometric data used to identify an individual Genetic data Health data Data related to sexual preferences, sex life, and/or sexual orientation Because these data elements are particularly sensitive, a company must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. Companies are prohibited from collecting or...

Read More
The GDPR Right to Object Explained
May25

The GDPR Right to Object Explained

Under the General Data Protection Regulation (GDPR), data subjects can object to certain uses of their data, but what exactly is the GDPR right to object, what can data subjects legitimately object to, and what must companies do when an objection is received from a data subject? The GDPR Right to Object The GDPR right to object is detailed in Article 21 of the GDPR. From May 25, 2018 – the compliance date for the GDPR – businesses must have developed policies and procedures for dealing with objections from data subjects. The GDPR right to object allows data subjects to object to certain types of data processing and stop a company from continuing to process their personal data. There are only certain situations when a legitimate right to object can be sent to a company. These are: Direct marketing The processing of personal data for statistical purposes related to historical or scientific research The processing of data for tasks in the public interest The exercising of official authority invested in you Objections to data processing in yours or a third party’s legitimate interest...

Read More
Do You Have a GDPR Data Retention Policy?
May17

Do You Have a GDPR Data Retention Policy?

All companies that collect or process the personal information of EU residents must ensure they have a compliant GDPR data retention policy, but what should that entail? GDPR Data Retention Rules Article 5 explains that when personal data are collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Those purposes must be clearly explained at the time of collection. Under GDPR, organizations are required to adhere to the minimization principle, which applies to the amount of personal data stored and the length of time the information is retained. When data need to be retained, appropriate security controls should be applied to prevent the unauthorized accessing, use, or processing of data and measures should be implemented to prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data retained remain accurate and are kept up to date and inaccurate data are removed. GDPR data retention is covered in Article 5(e), which explains that...

Read More
GDPR Exemptions: Who is Exempt from GDPR Requirements?
May11

GDPR Exemptions: Who is Exempt from GDPR Requirements?

The General Data Protection Regulation comes into force on May 25, 2018 and companies that collect or process the personal data of EU residents are required to comply with the GDPR, although there are limited GDPR exemptions and derogations. Who Must Comply with the Requirements of GDPR GDPR is concerned with ensuring the privacy and data rights of EU residents are protected. GDPR may be an EU law, but GDPR applies to all companies. It does not matter where a company is located, whether it is based in the EU or in a non-EU country, compliance with GDPR is mandatory. There are many misconceptions about GDPR exemptions, such as whether GDPR applies to small businesses, individuals, or companies whose websites are accessible in the EU. Apart from limited GDPR exemptions, all companies – regardless of their size – are required to comply with GDPR if they offer free or paid goods or services to EU residents or monitor their behavior. Who is Exempt from GDPR? There are limited GDPR exemptions related to the processing of personal data as detailed below: When data are processed during the...

Read More
Does GDPR Apply to EU Citizens Living in the US?
May11

Does GDPR Apply to EU Citizens Living in the US?

The term ‘European Union citizen’ is often used when explaining General Data Protection Regulation (GDPR) requirements, but what happens when an EU citizen leaves the EU? Does GDPR apply to EU citizens living in the US or in other non-EU countries? Does GDPR apply when EU citizens vacation in non-EU countries? What happens when Americans visit an EU country? They are clearly not EU citizens but are temporarily located in the EU. How does GDPR apply to US citizens living in an EU country or visiting on vacation or for business. Does GDPR Apply to EU Citizens Living in the US? Use of the phrase European Union citizen is not helpful when dealing with GDPR because GDPR is not concerned with citizenship, instead it is concerned with where a person is located. The term EU resident is more useful, or a person located in the EU. GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer...

Read More
The Cost of GDPR Compliance
May04

The Cost of GDPR Compliance

As the introduction of the General Data Protection Regulation on May 25, 2018, draws nearer, many are realizing the cost of bringing their organizations into compliance with the GDPR. A recent study by a legal tech company, Axiom, noted that Fortune 500 and FTSE 100 companies may need to spend an estimated £800 million to review contracts and verify that they are in compliance with the GDPR. While not everyone will need to spend as much, there will still be money that needs to be found to assess and implement the necessary elements to continue operating without violating the GDPR. Two of the major areas that are likely to dictate the overall cost to organizations related to the GDPR are their current processes and the nature and scale of the data they manage. How Will GDPR Compliance Cost Money? Arguably, the most significant cost related to GDPR compliance will be the cost of auditing and classifying the data that is held. This is an incredibly important step to take, as it will lead to the identification of the data types being stored or processed; it should identify the risks...

Read More
GDPR High Risk Data Processing
May03

GDPR High Risk Data Processing

The imminent introduction of the Genera Data Protection Regulation (GDPR) on May 25, 2018, has many questioning what types of data or data processing are considered high risk or very high risk under the new law. As one of the main goals of the GDPR is to legislate data protection procedures concerning individuals within the European Union (EU), the concept of levels of risk may be of great importance to ensuring compliance. The GDPR should harmonize how the data of those located within the EU is collected, stored, and processed. These new rules will not just concern organizations located in EU member states, but also organizations located anywhere across the globe that manage data collected within the EU. To ensure compliance, groups will need to review their procedures and modify them to meet the criteria of the regulations. A first step for many will be a Data Protection Impact Assessment to audit and assess the personal data that they currently possess. Indeed, this is a required measure under the GDPR which states “the likelihood and severity of the risk to the rights and...

Read More
A Comparison of the Privacy Shield and the GDPR
May02

A Comparison of the Privacy Shield and the GDPR

With the introduction of the General Data Protection Regulation (GDPR) fast approaching, many are wondering how it compares to or will integrate with other privacy and security laws and agreements, such as the Privacy Shield. As the GDPR will come into effect on May 25, 2018, it is important to clear up any confusion as quickly as possible. A central goal of the GDPR is to ensure that the personal data of people in the European Union (EU) will be protected, and that any storage or processing of this data will only be done in countries that have very strict legislation governing data protection. Currently, the legal safeguards and frameworks that exist within the United States (US) do not reach the standards required by the EU and the GDPR. This would mean that businesses and organizations based in the US would not be permitted to process data from EU countries. The Privacy Shield agreement was made to allow individual US based organizations to prove that their data protection procedures are at a high enough level to allow them to process data from EU countries. How Does the Privacy...

Read More
GDPR Definition of Personal Data
May01

GDPR Definition of Personal Data

The General Data Protection Regulation (GDPR) will govern how personal data collected within the European Union (EU) must be treated, but what is the GDPR definition of personal data? This question has been causing confusion for certain organizations but they still must have their systems in place to correctly process and collect data before the law come into force on May 25, 2018. The term “personal data” is defined in the text of the GDPR’s Article 4, Definitions, but the definition which is given is very broad and intentionally vague. This means that groups must be careful with almost any data that they collect or process. There may even be differences in what is counted as personal data based on the activities, data collected, or processing requirements of the data controller or data processor – it is possible that context will play a role in what is defined as personal data. The definition stated in Article 4 is that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be...

Read More
Does GDPR Apply to Employees?
Apr30

Does GDPR Apply to Employees?

The introduction of the General Data Protection Regulations (GDPR) is just around the corner and many organizations are wondering whether the GDPR also applies to data concerning employees, as well as to data related to clients or customers. The short answer to this is yes, employee data is subject to the same protections as client and customer data under the GDPR. When groups design their systems to be GDPR compliant, they must not forget to review and modify the systems that deal with internal staff information. This will also mean that staff members will have similar rights to clients and customers in relation to requesting copies of their stored data and other areas. Organizations will face penalties for mismanagement or misconduct of employee data the same as they would for mishandling or violating the rules for data concerning individuals external to the group. How Should Human Resources Prepare? As the majority of data relating to employees will be held and processed by the Human Resources (HR) department, it will be crucial for HR staff members to gain a strong working...

Read More
GDPR and Cold Emailing
Apr27

GDPR and Cold Emailing

As mentioned above, cold emailing is not completely banned or prohibited by the GDPR but it has placed restrictions on how cold emailing can be used. Unrequested marketing materials cannot just be sent out to random email addresses. Doing so could even result in penalties against the organization. Audience targeting for cold emailing will become much more important under the GDPR. Some strong indication that the recipients will be interested in the subject matter must be able to be demonstrated by the sender. Something such as their job title or business area may be enough to defend contacting the target, but more information should be included when available. Obviously, any information used to support contacting an individual must be obtained legally and transparently. Other criteria that must be met include: Emails should have their subject matter and topics plainly visible The email should be personalized to the recipient. This is another area where target and subject relevance is crucial An unsubscribe option must exist to enable recipients to opt out from receiving future...

Read More
GDPR Consent for Existing Customers
Apr26

GDPR Consent for Existing Customers

With less than a month to go before the introduction of the General Data Protection Regulation (GDPR), many companies are wondering whether they need to request consent from their existing customers in order to process or continue processing their data. There are a number of conditions that must be met for consent to be valid under the GDPR. These include consent having been given freely by an informed individual for a specified purpose. On a superficial level, these are the same as the criteria which must be followed under the existing law. As a result, many organizations may feel that their user and customer consent does not need to be reviewed. However, the GDPR makes some amendments to how consent can be acquired, given, or implied. It is important that groups make note of these additional requirements when assessing the consent of their existing customers and when requesting consent from new and future customers. Below, we review some of the more important aspects that must be respected. If these have not been applied, existing consent may not be valid and the company may be...

Read More
Comparison of European and American Privacy Law
Apr25

Comparison of European and American Privacy Law

With the introduction of the General Data Protection Regulation (GDPR) just around the corner on May 25, 2018, many people are wondering how the new European law will compare to American privacy laws. An important point to note from the outset is that the GDPR will not just apply to organizations based within the EU, but to any organization which collects or processes the data of individuals based in the EU. The chief determining factor of GDPR applicability is the location of the data subject, not the location of the company. To further clarify this point, many organizations believe that the GDPR only applies to EU citizens. This is not the case. If the data has been collected in the EU, even if the data relates to a non-EU citizen, the information is subject to the protections of the GDPR and the controller and processing entities must treat it in compliance with these rules. Similarly, should a citizen of an EU country have their data collected and processed outside of the EU, their data is not subject to the GDPR protections as it was not collected within the EU. As well as...

Read More
GDPR Exemptions
Apr24

GDPR Exemptions

The soon-to-be-introduced General Data Protection Regulations (GDPR) will govern how organizations store and process personal data relating to people living in the European Union (EU), but some exemptions can be made under the new legislation. Coming into effect on May 25, 2018, there is still a certain amount of confusion relating to how the GDPR will work and how it will interact with member states’ laws. Below, we will try to clear up some of this confusion. GDPR vs National Law A chief aim of the GDPR is to harmonize the rules concerning data processing across the EU. Even with this as a goal, there will still be a certain amount of leeway and discretion permitted for each individual EU member state to legislate some aspects of how data management is policed. GDPR Article 23, Restrictions, presents a set of acceptable reasons for which a member state may introduce a law restricting some of the rights otherwise granted in the other articles of the GDPR. These reasons include: security and defense prevention, detection, investigation, or prosecution of crime or breaches of ethics...

Read More
GDPR Data Breach Notification Rules
Apr23

GDPR Data Breach Notification Rules

The General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, makes a number of changes to how organizations can use personal data, but it has also changed the rules of how data breach notifications should be issued. Both data controllers and data processors are obligated to put sufficient apparatus and methods to safeguard the information they hold and process in place. While exact means are not specified, it is stated in Article 32, Security of processing, and several other times in the legislation, that the “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” should be implemented. A non-exhaustive list of examples of security measures that may be considered is also given. The list includes pseudonymization and encryption, as well as procedures to ensure the confidentiality of data, to quickly restore access to data following incidents, and to regularly test the security measures. The security system and procedures must be documented so that compliance with the regulations can be proven. If an...

Read More
What is the Difference Between a Controller and a Processor in GDPR?
Apr20

What is the Difference Between a Controller and a Processor in GDPR?

The General Data Protection Regulation (GDPR) makes frequent reference to data controllers and data processors, but what is the difference between a controller and a processor under the GDPR? When the GDPR comes into effect on May 25, 2018, both data controllers and data processors will have specific duties which they must fulfill. Under the existing regulations, data processors do not have statutory responsibilities. This will change with the GDPR’s introduction. As a result, organizations will need to ensure that they are aware of whether they will be classified as data controllers or data processors. If they are unsure, they run the risk of failing to comply with the strict standards and criteria expected of them under the new law. They should also know where they stand in order to implement the necessary data protections and procedures, if applicable. Data Controllers The GDPR has kept the categorization of data controllers and data processors the same as it appears in the existing legislation. A data controller decides, either alone or in concert with other groups, why data is...

Read More
Overview of GDPR Article 35
Apr20

Overview of GDPR Article 35

The General Data Protection Regulation (GDPR) is a highly complex piece of legislation, but entities should pay particular attention to ensure they have a clear overview of Article 35 and understand how their activities may create risks for individuals, as well as for themselves. The GDPR is a wide-ranging European privacy law, governing and protecting the data of people living in the EU. It will come into effect on May 25, 2018. Article 35, Data protection impact assessment, is the first Article in Section 3, Data protection impact assessment and prior consultation. As certain data processing activities use novel techniques or include the processing of more sensitive data, they may present a high risk to data subjects – the people the data refers to. Article 35 describes when and how a data controller should carry out a data protection impact assessment in order to identify and minimize or address these risks. What Type of Data Requires an Assessment? The processing of certain data types will always require a data protection impact assessment prior to any processing being...

Read More
GDPR Password Requirements
Apr18

GDPR Password Requirements

Although the text of the General Data Protection Regulation frequently refers to “appropriate safeguards”, “appropriate security”, and “appropriate measures”, there is no specific mention of GDPR password requirements. However, an appropriate GDPR password policy should be part of a Data Protection Impact Assessment. The primary objectives of the European General Data Protection Regulation (GDPR) are to update data protection laws across the European Economic Area (EEA) and to standardize how EU member states apply the laws by creating rules relating to “the protection of natural persons with regard to the processing of personal data”. GDPR also creates rules for the free movement of personal data within the EEA, and restricts the migration of data outside of approved jurisdictions. In order to achieve these objectives, the Regulation consists of 99 Articles and 173 Recitals. It is significant that after the first four Articles (which relate to the objectives and definitions), the first Article of any real substance stipulates that personal data shall be “processed in a manner that...

Read More
What Countries are Affected by the GDPR?
Apr17

What Countries are Affected by the GDPR?

What Countries are affected by the GDPR is a common GDPR question. The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation that was accepted on April 27, 2016. The GDPR will come into force on May 25, 2018. While it is a piece of  EU legislation, institutions located outside of the EU must be aware of its implications and be on their guard to avoid violating it. The physical location of the organization does not exempt or shield it from facing the consequences of non-compliance. Institutions with offices in an EU country or that collect, process or store the personal data of anyone located within an EU country are required to comply with the GDPR. As businesses and other organizations often have an international focus and reach, it is quite probable your entity will be required to comply with the GDPR – especially if it is an entity that operates or offers services via the Internet. Main Countries Affected by the GDPR As mentioned above, the physical location of the institution, organization or business is not as important in determining the need to comply...

Read More
Legal Bases for Processing Personal Data Under GDPR
Apr14

Legal Bases for Processing Personal Data Under GDPR

We are mere weeks away from the introduction of the General Data Protection Regulation (GDPR) and a number of groups are still confused as to the acceptable legal bases for processing personal data under GDPR. From May 25, 2018, onward, all personal data relating to individuals living in the European Union (EU) will be protected by the new law. Entities involved in processing the personal data of these individuals will be governed by the GDPR. Even groups located outside of the EU must comply with the regulation if they process the data of people based inside of the EU. As part of the GDPR, personal data cannot be processed for any goal that an organization may just be curious about. As noted above, the acceptable reasons are causing some confusion. Article 6 of the Regulations, Lawfullness of processing, states that “[data] processing shall be lawful only if” the processing is being conducted for one of six legitimate reasons. These reasons include: 1. The person has provided active consent for their data to be processed for one or more specific purposes. There is no blanket...

Read More
Personally Identifiable Data under the GDPR
Apr11

Personally Identifiable Data under the GDPR

With the introduction of the General Data Protection Regulation (GDPR) only weeks away, all groups involved in processing the personal data of individuals based in the EU should be aware of their duties under the new law and should be aware of their obligations when processing Personally Identifiable Data under the GDPR. What is Personally Identifiable Data? Personally Identifiable Data is a term used to refer to any piece of information which, either alone or when supported by additional information, allows for the identification of a living person. In the past this was mostly used to designate home addresses or telephone numbers, however this has evolved with the greater presence of technology and mobile devices in everyday life. Recently, the term Personally Identifiable Data can be used when talking about IP addresses, email addresses, social media identifiers, or online images. These elements are not always classified as Personally Identifiable Data, but they may be, depending on the context: a username, or an IP address may be enough to directly identify someone; in contrast,...

Read More
GDPR Call Recording Regulations
Apr10

GDPR Call Recording Regulations

The General Data Protection Regulation (GDPR) call recording regulations will come into force on May 25, 2018. How will the GDPR affect how entities collect, process and store phone calls and phone information? In this article, we will examine the potential impact the GDPR may have on recording phone calls and some steps entities can take to comply with the regulations. Anyone who has ever called a business or customer service line will be familiar with the automatic notice informing them that their call is likely to be recorded. Call recording is a common practice as it allows companies and organizations to monitor their customer care employees, have real world examples for training purposes, and have a definitive reference in case of a customer complaint or any other contentious issue. Given the many important functions that are served by call recording and the enduring preference of many people to call companies for assistance or other reasons instead of using online chats or tools, call recording is likely to be an option that organizations will continue to use for the...

Read More
GDPR Best Practices
Apr10

GDPR Best Practices

With the May 25, 2018, introduction of the General Data Protection Regulation (GDPR) fast approaching, enterprises and organizations must ensure they are up-to-date with and understand the emerging GDPR compliance best practices. As the penalties for GDPR violations are quite severe, it is in the interest of all concerned groups to put these best practices into place. Aside from avoiding sanctions, following GDPR rules can boost a company’s image among consumers. Robust protections and confidence in data security may lead people to more freely share their data with organizations, without them worrying as much about the risk of information breaches. Having said all this, we now present some GDPR best practices which your group may consider implementing. What is the Purpose of the GDPR? A simple but often overlooked first step is taking the time to understand what the purpose of the GDPR is. People follow rules more readily when they know why they are being put in place. A central goal of the GDPR is to allow individuals based in the EU to have more say in how their information is...

Read More
GDPR Documentation Requirements
Apr08

GDPR Documentation Requirements

The new European Union (EU) General Data Protection Regulation (GDPR) will take effect from May 25, 2018 and has specific GDPR documentation requirements. When this happens, institutions and entities that process or store personal data relating to EU residents will be obliged to follow the standards set out in this new law. One particular area to note is the GDPR documentation requirements, outlined in Article 30: Records of processing activities. In their capacity as data controller, groups will be required to record how they process data and other aspects of their data processing activities. Failure to do so could result in hefty fines or other serious penalties. Article 30 of the law lists a number of records that must be maintained by the data controller or the representative acting on their behalf. The list includes basic information; such as the name and address of the data controller, their Data Protection Officer (if relevant), and their representative; as well as the purpose of the processing. It also includes some more detailed information relating to transfers of data to...

Read More
Does GDPR apply to Canada?
Mar19

Does GDPR apply to Canada?

Many Canadian companies are investigating the question: does GDPR apply to Canada and Canadian companies? While there are existing laws in place to facilitate the flow and exchange of information, including personal data, between groups based within the European Union (EU) and groups based in Canada, the introduction of the General Data Protection Regulation (GDPR) on May 25, 2018, will quite probably impact and change the current situation. The Personal Information Protection and Electronic Documents Act, known as PIPEDA, is the name of the law that is currently in effect. The EU does not have an overly favorable view on PIPEDA’s ability to hold Canadian entities to the standards necessary to comply with the GDPR. In any case, no matter where they are based – be it Canada, Colombia, China, or Cyprus – entities that process or store personal data relating to people living within the EU will need to follow the rules laid down in the GDPR. What Action do Canadian  Companies Need to Take? Companies based in Canada will need to review and take stock of the information they have...

Read More
Overview of the GDPR
Jan14

Overview of the GDPR

The content of the General Data Protection Regulation, or GDPR for short, was confirmed as long ago as 2015. It is due to become law on the 25th of May 2018, from which date the details outlined in this GDPR overview become applicable. From then on, a business or an organisation which falls under the remit of the GDPR, and yet fails to comply with it, may face the imposition of significant fines or other sanctions. The magnitude of any fine under the GDPR will be a decision for the appropriate Data Protection Authority (DPA). While the different member states of the EU will have their own DPAs, it is anticipated that there will be ongoing discussion between the various DPAs, so as to make sure that there will be some degree of consistency throughout the European Union. Consistency was one of the main motivations for the introduction of the GDPR. Another key reason is to offer EU citizens greater control over how their personal data is used. What are the main consequences of the GDPR for companies and organisations? As noted above, failing to comply with the requirements of the GDPR...

Read More
Upgrading Software to comply with GDPR
Jan13

Upgrading Software to comply with GDPR

The General Data Protection Regulation (GDPR) comes into force on the 25th of May 2018 and any business that aspires to be GDPR compliant needs to be fully aware of the software upgrades that its IT systems will need to ensure that compliance. It may be the case that your business requires an upgrade of the software that it currently uses, or an alternative software solution might be required. What is the impact of GDPR on your business? To begin with, we should take a look at what the General Data Protection Regulation actually is. The intention of the GDPR is to provide some uniformity in the manner in which personal data is processed in European Union member states. However, the GDPR does not only affect Europe. It also introduces new and extended rights for all data subjects who are citizens of EU countries. That is to say that any organisation which processes the personal data of a European citizen must comply with the GDPR, no matter which continent it is based in. If you are not overly familiar with the terms of the GDPR, it might be helpful to consult the guidance of the...

Read More
Best Practice Under the General Data Protection Act
Jan11

Best Practice Under the General Data Protection Act

On the 25th of May 2018, the EU’s General Data Protection Regulation (GDPR) will become law. It is therefore crucial for organisations and businesses to be fully informed as to what are GDPR best practices. Failing to put these GDPR best practices into action may result in a business being ruled to be non-compliant with the new Regulation, the consequences of which being weighty fines or sanctions. Clearly, no company will want to risk that. Obviously, a GDPR compliant business will also have the additional benefit of maintaining the trust of customers who will be reassured to know that their personal data is adequately protected. At the end of the day, nobody would like to learn that their personal data had been compromised. What, therefore, are the GDPR best practices that every business should adopt before May 25th, 2018? Inform yourself about the GDPR The first step to take is to ensure that you are fully informed as to what changes the GDPR will make. This allows your colleagues and yourself, to grasp the new policies that you are obliged to respect. A key goal of the...

Read More
FAQs concerning the GDPR
Jan11

FAQs concerning the GDPR

The General Data Protection Regulation, or GDPR, becomes law on the 25th of May 2018. Many businesses are asking the same questions about it. The principal goal of the GDPR is to provide a degree of uniformity to the manner in which personal data is dealt with throughout the European Union. The new Regulation also increases the rights of citizens of EU member states, with respect to organisations or companies processing their personal data. Nonetheless, many business owners appear to be somewhat confused as to what precisely is contained in the GDPR. They have found it a challenge to make sense of the large quantities of information and rumours that have crossed their paths over the last few months. Below is a list of some of the more frequently asked questions, with answers, that many businesses have been asking about the GDPR. Is the GDPR applicable solely to European companies and organisations? As the GDPR is a regulation of the European Union, it is understandable that one of the more common misconceptions about it is that only those organisations which are based in EU member...

Read More
“To-do List” for GDPR Compliance
Jan10

“To-do List” for GDPR Compliance

The goal of this short piece is to help organizations, companies or businesses that collect, process or store personal data of “data subjects” located in the EU start a GDPR To Do List. This list should permit such entities to take initial steps in order to comply with GDPR. Please note that this is not intended to be a comprehensive guide, more a few “rules of thumb” to take into account in order to get started. Preparing a GDPR To Do List Although the impact of the General Data Protection Regulation (GDPR) has been largely known since it was agreed in 2016, it seems that few organizations have prepared a GDPR To Do List. According to ‘Spice Works’, just one year before the implementation date of the 25th May 2018, only 2% of Information Technology professionals surveyed throughout the European Union believed that their company or business was properly prepared for GDPR. A similar figure applied to IT professionals in the USA, and the figure for their UK counterparts was only marginally higher, at 5%. Simply put, this statistic is a cause for concern given...

Read More
Insurance Industry compliance with GDPR
Jan10

Insurance Industry compliance with GDPR

The General Data Protection Regulation (GDPR) is due to come into force on the 25th of May 2018. This short article is focused on the GDPR in the particular context of the Insurance Industry. Specialised consideration of the new Regulation is essential given that non-compliance with GDPR rules may lead to the imposition of heavy fines among a number of other sanctions. It is essential to note is that the GDPR will apply to insurance companies all around the world and not only those which are based in member states of the European Union. Should your company, in the course of its operations, process the personal data of European citizens then it must be GDPR compliant. What this means is that you must ensure that all of your preparations have been completed prior to the activation of the GDPR. Data processors’ responsibilities under GDPR In the context of GDPR and the insurance industry, one of the most significant developments is that the burden of ensuring compliance will now be divided between data controllers and data processors. Until now, the responsibility of ensuring...

Read More
American Companies and the GDPR
Jan09

American Companies and the GDPR

The impact of the General Data Protection Regulation (GDPR) for American companies which gather, maintain or process personal data of citizens of the European Union (EU) will be considerable – and compliance with it is obligatory. The new EU Regulation will come into force on May 25th, 2018. The GDPR impacts the manner in which the personal data of the citizens of EU member states may be collected, used and held. It also introduces the right for individuals to have much more influence in what data about them is gathered, together with a right to know for what purposes that data is being used, and for what length of time it will be used for. The enactment of the GDPR will instigate sweeping changes to business practices for those companies which have not already implemented a policy that reflects a similar level of data privacy. Fields as wide-ranging as finance to human resources, advertising, sales and customer services will undoubtedly be impacted by the changes. Firms which work with channel partners must also ensure that their partners’ activities comply with the GDPR. Do...

Read More
Understanding GDPR Compliance
Jan09

Understanding GDPR Compliance

What does ‘GDPR Compliance’ mean? GDPR compliance is due to become obligatory for every business or organisation, or company which gathers, stores or utilises the personal data of citizens throughout the European Union in May 2018. The application of the General Data Protection Regulation (GDPR) together with the need for GDPR compliance that will follow, will significantly impact the manner in which data protection is dealt with throughout Europe. In order to respond to the question “What does ‘GDPR Compliance’ mean?”, it is necessary to explain, to those who may be unfamiliar with the terms, what the difference between a European Union Directive and a European Union Regulation is; an EU Directive is a general set of guidelines on which EU member states may base their own domestic laws around (with some flexibility as to the precise terms), whereas an EU Regulation is legislation that applies throughout the entire European Union, meaning that all member nations are obliged to comply with Regulations and they are enforceable by law. The General Data...

Read More
Small Businesses and GDPR Compliance
Jan08

Small Businesses and GDPR Compliance

What will GDPR change for small businesses? Small businesses have experienced some confusion since the announcement of the General Data Protection Regulation (GDPR). A large number of small business owners appear to have assumed that the GDPR is not applicable to them. Unfortunately, they may well be in for quite a shock on the 25th of May 2018 when the new Regulation comes into force. Although it is a fact that the GDPR’s Article 30 states that small businesses are not bound by it, this will not always be the case. Small business owners should be alert to the introduction of the GDPR, and inform themselves as to what significance it may have for their business, otherwise they could face sanctions they had not anticipated. Sanctions under the GDPR include large fines, which any business would prefer to avoid. What impact might the GDPR have on a small business? Under the terms of the GDPR, a small business appears to be defined as one which employs less than two hundred and fifty people. Any business employing more than 250 people must comply with the GDPR, which implies the...

Read More
When are GDPR Personal Data Breach Notifications Required?
Oct25

When are GDPR Personal Data Breach Notifications Required?

GDPR personal data breach notifications must be issued to the competent supervisory authority in the event of a breach of personal data unless the breach is unlikely to result in a risk of adverse effects on data subjects. Data breach notifications must be issued to data subjects when there is a high risk to the rights and freedoms of those individuals as a result of the breach. Requirements for GDPR Personal Data Breach Notifications On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) becomes enforceable. While there are many requirements to ensure compliance with GDPR, one of those is the mandatory reporting of breaches of personal data. While security breaches may need to be reported to other entities under state or federal laws, GDPR only requires notifications to be issued when the personal data of EU citizens is breached. GDPR personal data breach notifications are required for “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise...

Read More
GDPR Requirements for US Companies
Oct18

GDPR Requirements for US Companies

A new European data privacy and security law – The General Data Protection Regulation (GDPR) – has been introduced, and while this law applies in Europe, there are also GDPR requirements for US companies, including for organizations in the healthcare sector. The new law, which has an effective date of May 25, 2018, requires a swathe of protections to be introduced to keep data of EU consumers secure and to protect their privacy. Healthcare organizations are in a good position to comply with GDPR regulations since they are already required to comply with the HIPAA Privacy, Security and Breach Notification Rules. However, being HIPAA compliant is no guarantee that healthcare organizations will not fall afoul of GDPR.  GDPR requirements for US companies cover aspects of privacy and security not required for HIPAA compliance. Why Does GDPR Apply to US Companies? GDPR is concerned with protecting the privacy of EU citizens and securing their data, so why are there GDPR requirements for US companies? The reason for GDPR is to give data subjects greater control over the...

Read More

EU GDPR Representative

Does your company provide services to customers in the European Union?

Does your company regularly process personal data of your customers who are based in the European Union?

Does your company have a local presence in the EU to monitor how the GDPR regulation is evolving?

Your company may be required by law to appoint a GDPR Representative in the EU.

Thank You
Free EU GDPR Representative Checklist
The Dirty Dozen: 12 Questions You Must Answer

How we use your data
Immediate Access.
Confidentiality guaranteed.

EU GDPR Representative

Does your company provide services to customers in the European Union?

Does your company regularly process personal data of your customers who are based in the European Union?

Does your company have a local presence in the EU to monitor how the GDPR regulation is evolving?

Your company may be required by law to appoint a GDPR Representative in the EU.

Thank You
Free EU GDPR Representative Checklist
The Dirty Dozen: 12 Questions You Must Answer

How we use your data
Immediate Access.
Confidentiality guaranteed.