Tim Bell, DRP Group
Why does GDPR matter in the US? It matters because it is directly enforceable against US companies (and companies from other countries).
GDPR was brought about because of frustration in the EU with how US companies treat customer data.
A brief timeline of important relevant recent privacy related events:
2011: Action was brought against Facebook in Ireland because of Facebook’s facial recognition software. Facebook disabled the feature in Europe.
2013: Following the Snoden revelations, the US-EU safe harbor for data transfers collapsed
2016: 2016: Uber lost data for 57 million drivers and passengers, and only admitted to it a year later.
2016: WhatsApp lost a case in Holland for not appointing a local data representative, as regulation requires
2017: When Facebook bought WhatsApp, they promised they would not share data across platforms. When it was discovered that they were doing this after all, French authorities intervened and stopped it.
2018: Belgium court rules against Facebook tracking people who are not even Facebook members.
GDPR, which was agreed upon in 2016, and enforceable starting May 25, 2018, the stakes are raised with the arrival of GDPR:
- GDPR affects the data of any people in the EU, regardless of whether the person is an EU member or the company operates outside of the EU.
- The maximum punishment is extreme – the larger of $25 million or 4% of global turnover
Some GDPR terminology:
- Personal data – data which can identify an individual, including IP addresses, work contact details, biometric data, most cookies
- Data subject – the person who could be identified by the personal data
- Data controller – the organization which determines how the personal data is processed
- Data processor – an organization which processes personal data on behalf of the data controller
- Data Processing – any operation performed on personal data, including collecting and storing
What are the GDPR obligations?
Privacy by design – this is more a state of mind than law. It requires organizations to have data protection in their DNA.
Lawful basis for processing – typically assumed to be consent, but must be active (a pre-ticked checkbox is not good enough). However, there are some other justifications for processing data, such as performance of a contract with an individual, complying with legal obligations or performing a task in the public interest.
Data protection officer – a position which is mandated in some cases, depending on company operation in Europe
Data protection representative – mandatory for companies that are not established in the EU
Processing agreement – A data controller that appoints a data processor has to have rules in the contract to describe how data will be handled.
International transfer of data – when transferring data inside or outside of the EU, the data must be transferred with the right protection. Some countries (such as Israel, Argentine, and others) have equivalency laws, so they are considered “in the EU” for the purpose of data transfer. For transfer between the EU and the US, “Privacy Shield” replaced Safe Harbor as the data transfer agreement between the two.
Privacy notice – when collecting data from users, the data controller has to tell the users what it intends to do with the data, up front and free of charge. This needs to be concise, transparent, intelligible and accessible.
Subject access requests – individuals can request to get their data and what a company holds on them. They also have the right to be forgotten. A request must be answered in a month, and the company cannot charge for it (but can refuse excessive requests).
Data breach notifications – a company must notify the relevant authorities in each impacted EU nation of any data breach that occurs. The notification must be done within 72 hours of becoming aware of it. If there is a high risk to the data subject, the company needs to let them know immediately. The data processor must tell the data controller without undue delay.
Data processing records – must keep records of all data processing activities for inspection
Data processing impact assessments – must undertake assessments on how processing will impact customers
Estimations are that no more than 15% of companies will be ready when GDPR kicks in. So what preparations need to be taken towards GDPR?
- Appoint a DPO if needed. If it is not required, appoint someone to manage data regulations.
- Know your data – audit both physical and digital data.
- Cleanse your data – make sure its relevant, have consent for it.
- Appoint data protection representatives (if you don’t have an office in the EU)
- Ensure security of data (physical and digital)
- Update procedures to have privacy by design
- Ensure staff training – people are the weakest link
- Consider basis of processing – was the data collected with consent? Is the consent adequate?
- Prepare for data events – data requests, data breach events, etc.
Q: How do you deal with right to forget for third party data processors?
A: Request only applies to you, but you need to disclose the third parties so customers can go to them and make requests from them as well.
Q: Will we see a shift in companies data gathering practices?
A: Very likely.
Q: Does it impact EU citizens living outside of the EU?
A: No – it only applies to people living in the EU.
Q: What’s the impact of Brexit on GDPR?
A: When it will happen, there will be a period of transition and confusion, but even after leaving theres a UK law that’s similar.
Q: Do you need consent for each third party you work with?
A: No – you need to list all the third parties and then have a single consent box.
Q: How about companies like Lyft or Taskrabbit, who have millions of subcontractors – how does that work?
A: What you should do is give subcontractors as little info as possible, and don’t give them continued persistent access to it. Keep data at the controller level.
Q: What about keeping lists of subcontractors?
A: Have to be very careful about how you store it – same rules apply to it.
Q: What about chat messages? If a user gives personal data to another user, do you have an obligation to treat it like personal data?
A: You can’t control how users use data they get from other users. You should set up rules to inform users how data is going to be used.
Q: What about right to be forgotten in this context?
A: It applies as well; each user has the right to withdraw its data.
Q: What about the right to be forgotten with Google search results?
A: You can request Google stop linking to them today, but it’s not clear how GDPR will further impact that.
No comments:
Post a Comment