Much better example is Office 365. MS has made sure it is fully GDPR compliant all the way from EU located Data Centres , to the comprehensive set of mechanisms available for admins to make every O365 EU user fully GDPR compliant.\u00a0 No wonder all EU institutions (private including) are using it.<\/em><\/p>\nThe new EU rules require organizations to appoint a data protection officer if they process sensitive data on a large scale (which Facebook very clearly does). Or are collecting info on many consumers \u2014 such as by performing online behavioral tracking. But, really, which online businesses aren\u2019t doing that these days?<\/p>\n
The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection \u2014 and some legal experts suggest the regulation will force privacy standards to rise outside the EU too.<\/p>\n
Sure, some US companies might prefer to swallow the hassle and expense of fragmenting their data handling processes, and treating personal data obtained from different geographies differently, i.e. rather than streamlining everything under a GDPR compliant process. But doing so means managing multiple data regimes. And at very least runs the risk of bad PR if you\u2019re outed as deliberately offering a lower privacy standard to your home users vs customers abroad.<\/p>\n
Ultimately, it may be easier (and less risky) for businesses to treat GDPR as the new \u2018gold standard\u2019 for how they handle\u00a0all\u00a0personal data, regardless of where it comes from.<\/p>\n
And while not every company harvests Facebook levels of personal data, almost every company harvests some personal data. So for those with customers in the EU GDPR cannot be ignored.\u00a0At very least businesses will need to carry out a data audit to understand their risks and liabilities.<\/p>\n
Privacy experts suggest that the really big change here is around enforcement. Because while the EU has had long-established data protection standards and rules \u2014 and treats privacy as a fundamental right \u2014 its regulators have lacked the teeth to command compliance.<\/p>\n
But now, under GDPR, financial penalties for data protection violations step up massively.<\/p>\n
The maximum fine that organizations can be hit with for the most serious infringements of the regulation is 4% of their global annual turnover (or \u20ac20M, whichever is greater). Though data protection agencies will, of course, be able to impose smaller fines too. And, indeed, there\u2019s a tiered system of fines \u2014 with a lower level of penalties of up to 2% of global turnover (or \u20ac10M).<\/p>\n
This really is a massive change. Because while data protection agencies (DPAs) in the different EU Member States can impose financial penalties for breaches of existing data laws these fines are relatively small \u2014 especially set against the revenues of the private sector entities that are getting sanctioned.<\/p>\n
In the UK, for example, the Information Commissioner\u2019s Office (ICO) can currently impose a maximum fine of just \u00a3500,000. Compare that to the annual revenue of tech giant Google (~$90BN) and you can see why a much larger stick is needed to police data processors.<\/p>\n
It\u2019s not necessarily the case that individual EU Member States are getting stronger privacy laws as a consequence of GDPR (in some instances countries have arguably had higher standards in their domestic law). But the beefing up of enforcement that\u2019s baked into the new regime means there\u2019s a better opportunity for DPAs to start to bark and bite like proper watchdogs.<\/p>\n
GDPR inflating the financial risks around handling personal data should naturally drive up standards \u2014 because privacy laws are suddenly a whole lot more costly to ignore.[nextpage title=”More types of personal data that are hot to handle”]<\/p>\n
So what is personal data under GDPR? It\u2019s any information relating to an identified or identifiable person (in regulator speak people are known as \u2018data subjects\u2019).<\/p>\n
While \u2018processing\u2019 can mean any operation performed on personal data \u2014 from storing it to structuring it to feeding it to your AI models. (GDPR also includes some provisions specifically related to decisions generated as a result of automated data processing but more on that below).<\/p>\n
A new provision concerns children\u2019s personal data \u2014 with the regulation setting a 16-year-old age limit on kids\u2019 ability to consent to their data being processed. However individual Member States can choose (and some have) to derogate from this by writing a lower age limit into their laws.<\/p>\n
GDPR sets a hard cap at 13-years-old \u2014 making that the defacto standard for children to be able to sign up to digital services. So the impact on teens\u2019 social media habits seems likely to be relatively limited.<\/p>\n
The new rules generally expand the definition of personal data \u2014 so it can include information such as location data, online identifiers (such as IP addresses) and other metadata. So again, this means businesses really need to conduct an audit to identify all the types of personal data they hold. Ignorance is not compliance.<\/p>\n
GDPR also encourages the use of pseudonymization (such as encrypting personal data and storing the encryption key separately and securely) \u2014 as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Although pseudonymized data is likely to still be considered personal data; certainly where a risk of reidentification remains. So it does not get a general pass from requirements under the regulation.<\/p>\n
Data has to be rendered truly anonymous to be outside the scope of the regulation. (And given how often\u00a0\u2018anonymized\u2019 data-sets\u00a0have been shown to be re-identifiable, relying on any anonymizing process to be robust enough to have zero risk of re-identification seems, well, risky.)<\/p>\n
The incoming data protection rules apply to both data controllers (i.e. entities that determine the purpose and means of processing personal data) and data processors (entities that are responsible for processing data on behalf of a data controller \u2014 aka subcontractors).<\/p>\n
Indeed, data processors have some direct compliance obligations under GDPR, and can also be held equally responsible for data violations, with individuals able to bring compensation claims directly against them, and DPAs able to hand them fines or other sanctions.<\/p>\n
So the intent for the regulation is there be no diminishing in responsibility down the chain of data handling subcontractors. GDPR aims to have every link in the processing chain be a robust one.<\/p>\n
For companies that rely on a lot of\u00a0subcontractors to handle data operations on their behalf there\u2019s clearly a lot of risk assessment work to be done.<\/p>\n
As noted above, there is a degree of leeway for EU Member States in how they implement some parts of the regulation (such as with the age of data consent for kids).<\/p>\n
Consumer protection groups are calling for the UK government to include an optional GDPR provision on\u00a0collective data redress\u00a0to its DP bill, for example \u2014 a call the government has so far rebuffed.<\/p>\n
But the wider aim is for the regulation to harmonize as much as possible data protection rules across all Member States to reduce the regulatory burden on digital businesses trading around the bloc.<\/p>\n
On data redress, European privacy campaigner Max Schrems \u2014 most famous for his legal challenge to US government mass surveillance practices that resulted in a 15-year-old data transfer arrangement between the EU and US being\u00a0struck down in 2015\u00a0\u2014 is currently running a\u00a0crowdfunding campaign\u00a0to set up a not-for-profit privacy enforcement organization to take advantage of the new rules and pursue strategic litigation on commercial privacy issues.<\/p>\n
Schrems argues it\u2019s simply not viable for individuals to take big tech giants to court to try to enforce their privacy rights, so thinks there\u2019s a gap in the regulatory landscape for an expert organization to work on EU citizen\u2019s behalf. Not just pursuing strategic litigation in the public interest but also promoting industry best practice.<\/p>\n
The proposed data redress body; short for: \u2018none of your business\u2019 \u2014 is being made possible because GDPR allows for the collective enforcement of individuals\u2019 data rights. And that provision could be crucial in spinning up a centre of enforcement gravity around the law. Because despite the position and role of DPAs being strengthened by GDPR, these bodies will still inevitably have limited resources vs the scope of the oversight task at hand.<\/p>\n
Some may also lack the appetite to take on a fully fanged watchdog role. So campaigning consumer and privacy groups could certainly help pick up any slack.[nextpage title=”Privacy by design and privacy by default”]<\/p>\n
Another major change incoming via GDPR is \u2018privacy by design\u2019 no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.<\/p>\n
This means there\u2019s a requirement on data controllers to minimize processing of personal data \u2014 limiting activity to only what\u2019s necessary for a specific purpose, carrying out privacy impact assessments and maintaining up-to-date records to prove their compliance.<\/p>\n
Consent requirements for processing personal data are also considerably strengthened under GDPR \u2014 meaning lengthy, inscrutable, pre-ticked T&Cs are likely to be unworkable. (And we\u2019ve sure seen\u00a0a whole lot of those hellish things in tech.) The core idea is that consent should be an ongoing, actively managed process; not a one-off rights grab.<\/p>\n
As the UK\u2019s\u00a0ICO tells it, consent under GDPR for processing personal data means\u00a0offering individuals \u201cgenuine choice and control\u201d (for sensitive personal data the law requires a higher standard still \u2014 of explicit consent).<\/p>\n
There are other legal bases for processing personal data under GDPR \u2014 such as contractual necessity, or compliance with a legal obligation under EU or Member State law, or for tasks carried out in the public interest \u2014 so it is not necessary to obtain consent in order to process someone\u2019s personal data. But there must always be an appropriate legal basis for each processing.<\/p>\n
Transparency is another major obligation under GDPR, which expands the notion that personal data must be lawfully and fairly processed to include a third principle of accountability. Hence the emphasis on data controllers needing to clearly communicate with data subjects \u2014 such as by informing them of the specific purpose of the data processing.<\/p>\n
The obligation on data handlers to maintain scrupulous records of what information they hold, what they are doing with it, and how they are legally processing it, is also about being able to demonstrate compliance with GDPR\u2019s data processing principles.<\/p>\n
But \u2014 on the plus side for data controllers \u2014 GDPR removes the requirement to submit notifications to local DPAs about data processing activities. Instead, organizations must maintain detailed internal records \u2014 which a supervisory authority can always ask to see.<\/p>\n
It\u2019s also worth noting that companies processing data across borders in the EU may face scrutiny from DPAs in different Member States if they have users there (and are processing their personal data). Although the GDPR sets out a so-called \u2018one-stop-shop\u2019 principle \u2014 that there should be a \u201clead\u201d DPA to co-ordinate supervision between any \u201cconcerned\u201d DPAs \u2014 this does not mean that once it applies a cross-EU-border operator like Facebook is only going to be answerable to the concerns of the Irish DPA.<\/p>\n
Indeed, Facebook\u2019s tactic of only claiming to be under the jurisdiction of a single EU DPA looks to be\u00a0on borrowed time. And the one-stop-shop provision in the GDPR seems more about creating a co-operation mechanism to allow multiple DPAs to work together in instances where they have joint concerns. Rather than offering a way for multinationals to go \u2018forum shopping\u2019 \u2014 which the regulation does not permit (per\u00a0WP29 guidance).<\/p>\n
Another change: Privacy policies that contain vague phrases like \u2018We may use your personal data to develop new services\u2019 or \u2018We may use your personal data for research purposes\u2019 will not pass muster under the new regime. So a wholesale rewriting of vague and\/or confusingly worded T&Cs is something Europeans can look forward to this year.<\/p>\n
Add to that, any changes to privacy policies must be clearly communicated to the user on an ongoing basis. This means no more references in the privacy statement telling users to \u2018regularly check for changes or updates\u2019 \u2014 that just won\u2019t be workable.<\/p>\n
The onus is firmly on the data controller to keep the data subject fully informed of what is being done with their information. (Which almost implies that good data protection practice could end up tasting a bit like spam, from a user PoV.)<\/p>\n
The overall intent behind GDPR is to inculcate an industry-wide shift in perspective regarding who \u2018owns\u2019 user data \u2014 disabusing companies of the notion that other people\u2019s personal information belongs to them just because it happens to be sitting on their servers.<\/p>\n
\u201cOrganizations should acknowledge they don\u2019t exist to process personal data but they process personal data to do business,\u201d is how analyst Gartner research director Bart Willemsen sums this up.\u00a0\u201cWhere there is a reason to process the data, there is no problem. Where the reason ends, the processing should, too.\u201d<\/p>\n
The data protection officer (DPO) role that GDPR brings in as a requirement for many data handlers is intended to help them ensure compliance.<\/p>\n
This officer, who must report to the highest level of management, is intended to operate independently within the organization, with warnings to avoid an internal appointment that could generate a conflict of interests.<\/p>\n
Which types of organizations face the greatest liability risks under GDPR?\u00a0\u201cThose who deliberately seem to think privacy protection rights is inferior to business interest,\u201d says Willemsen, adding: \u201cA recent example would be Uber, regulated by the FTC and sanctioned to undergo\u00a020 years of auditing. That may hurt perhaps similar, or even more, than a one-time financial sanction.\u201d<\/p>\n
\u201cEventually, the\u00a0GDPR\u00a0is like a speed limit: There not to make money off of those who speed, but to prevent people from speeding excessively as that prevents (privacy) accidents from happening,\u201d he adds.<\/p>\n
Another right to be forgotten<\/h2>\n
Under GDPR, people who have consented to their personal data being processed also have a suite of associated rights \u2014 including the right to access data held about them (a copy of the data must be provided to them free of charge, typically within a month of a request); the right to request rectification of incomplete or inaccurate personal data; the right to have their data deleted(another so-called \u2018right to be forgotten\u2019 \u2014 with some exemptions, such as for exercising freedom of expression and freedom of information); the right to restrict processing; the right to data portability (where relevant, a data subject\u2019s personal data must be provided free of charge and in a structured, commonly used and machine-readable form).<\/p>\n
All these rights make it essential for organizations that process personal data to have systems in place which enable them to identify, access, edit and delete individual user data \u2014 and be able to perform these operations quickly, with a general 30-day time-limit for responding to individual rights requests.<\/p>\n
GDPR also gives people who have consented to their data being processed the\u00a0right to withdraw consent at any time. Let that one sink in.<\/p>\n
Data controllers are also required to inform users about this right \u2014 and offer easy ways for them to withdraw consent. So no, you can\u2019t bury a \u2018revoke consent\u2019 option in tiny lettering, five sub-menus deep. Nor can WhatsApp offer any more time-limit opt-outs for sharing user data with its parent multinational, Facebook. Users will have the right to change their minds whenever they like.<\/p>\n
The EU lawmakers\u2019 hope is that this suite of rights for consenting consumers will encourage respectful use of their data \u2014 given that, well, if you annoy consumers they can just tell you to sling yer hook and ask for a copy of their data to plug into your rival service to boot. So we\u2019re back to that fostering trust idea.<\/p>\n
Add in the ability for third-party organizations to use GDPR\u2019s provision for the collective enforcement of individual data rights and there\u2019s potential for bad actors and bad practice to become the target for some creative PR stunts that harness the power of collective action \u2014 like, say, a sudden flood of requests for a company to delete user data.<\/p>\n
Data rights and privacy issues are certainly going to be in the news a whole lot more.[nextpage title=” Getting serious about data breaches”]<\/p>\n
But wait, there\u2019s more! Another major change under GDPR relates to security incidents \u2014 aka data breaches (something else we\u2019ve seen an\u00a0awful,\u00a0awful\u00a0lot of in recent years) \u2014 with the regulation doing what the US still hasn\u2019t been able to: Bringing in a universal standard for data breach disclosures.<\/p>\n
GDPR requires that data controllers report any security incidents where personal data has been lost, stolen or otherwise accessed by unauthorized third parties to their DPA within 72 hours of them becoming aware of it. Yes, 72\u00a0hours. Not the best part of a year,\u00a0like er Uber.<\/p>\n
If a data breach is likely to result in a \u201chigh risk of adversely affecting individuals\u2019 rights and freedoms\u201d the regulation also implies you should \u2018fess up even sooner than that \u2014 without \u201cundue delay\u201d.<\/p>\n
Only in instances where a data controller assesses that a breach is unlikely to result in a risk to the rights and freedoms of \u201cnatural persons\u201d are they exempt from the breach disclosure requirement (though they still need to document the incident internally, and record their reason for not informing a DPA in a document that DPAs can always ask to see).<\/p>\n
\u201cYou should ensure you have robust breach detection, investigation and internal reporting procedures in place,\u201d is the\u00a0ICO\u2019s guidance\u00a0on this. \u201cThis will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.\u201d<\/p>\n
The new rules generally put a strong emphasis on data security and on the need for data controllers to ensure that personal data is only processed in a manner that ensures it so safeguarded.<\/p>\n
Here again, GDPR\u2019s requirements are backed up by the risk of supersized fines. So suddenly sloppy security could cost your business big \u2014 not only in reputation terms, as now, but on the bottom line too. So this has to be a C-suite concern now.<\/p>\n
Nor is subcontracting a way to shirk your data security obligations. Quite the opposite.\u00a0Having a written contract in place between a data controller and a data processor was a requirement before GDPR but contract requirements are wider now and there are some specific terms that must be included in the contract, as a minimum.<\/p>\n
Breach reporting requirements must also be set out in the contract between the processor and controller. If a data controller is using a data processor and it\u2019s the processor that suffers a breach, they\u2019re required to inform the controller as soon as they become aware. The controller then has the same disclosure obligations as per usual.<\/p>\n
Essentially, data controllers remain liable for their own compliance with GDPR. And the ICO warns they must only appoint processors who can provide \u201csufficient guarantees\u201d that the regulatory requirements will be met and the rights of data subjects protected.<\/p>\n
tl;dr, be careful who and how you subcontract.<\/p>\n
Right to human review for some AI decisions<\/h2>\n
Article 22 of GDPR places certain restrictions on entirely automated decisions based on profiling individuals \u2014 but only in instances where these human-less acts have a legal or similarly significant effect on the people involved.<\/p>\n
There are also some exemptions to the restrictions \u2014 where automated processing is\u00a0necessary for entering into (or performance of) a contract between an organization and the individual; or where it\u2019s\u00a0authorized by law (e.g. for the purposes of detecting fraud or tax evasion); or where an individual has explicitly consented to the processing.<\/p>\n
In its guidance, the\u00a0ICO\u00a0specifies that the restriction only applies where the decision has a \u201cserious negative impact on an individual\u201d.<\/p>\n
Suggested examples of the types of AI-only decisions that will face restrictions are automatic refusal of an online credit application or an e-recruiting practices without human intervention.<\/p>\n
Having a provision on automated decisions is not a new right, having been brought over from the 1995 data protection directive. But it has attracted fresh attention \u2014 given the rampant rise of machine learning technology \u2014 as a potential route for GDPR to place a check on the power of AI black boxes to determine the trajectory of humankind.<\/p>\n
The real-world impact will probably be rather more prosaic, though. And experts suggest it does not seem likely that the regulation, as drafted, equates to a right for people to be given detailed explanations of how algorithms work.<\/p>\n
Though as AI proliferates and touches more and more decisions, and as its impacts on people and society become more evident, pressure may well grow for proper regulatory oversight of algorithmic black boxes.<\/p>\n
In the meanwhile, what GDPR does in instances where restrictions apply to automated decisions is require data controllers to provide\u00a0some\u00a0information to individuals about the logic of an automated decision.<\/p>\n
They are also obliged to take steps to prevent errors, bias, and discrimination. So there\u2019s a whiff of algorithmic accountability. Though it may well take the court and regulatory judgments to determine how stiff those steps need to be in practice.<\/p>\n
Individuals do also have a right to\u00a0challenge and request a (human) review of an automated decision in the restricted class.<\/p>\n
Here again, the intention is to help people understand how their data is being used. And to offer a degree of protection (in the form of a manual review) if a person feels unfairly and harmfully judged by an AI process.<\/p>\n
The regulation also places some restrictions on the practice of using data to profile individuals if the data itself is sensitive data \u2014 e.g. health data, political belief, religious affiliation, etc \u2014 requiring explicit consent for doing so. Or else that the processing is necessary for substantial public interest reasons and lies within EU or Member State law.<\/p>\n
While profiling based on other types of personal data does not require obtaining consent from the individuals concerned, there is still a transparency requirement \u2014 which means service providers will need to inform users they are being profiled, and explain what it means for them.<\/p>\n
Natasha Lomas<\/a><\/p>\n![\"gdpr](\"https:\/\/i0.wp.com\/dbj.systems\/kb\/wp-content\/uploads\/sites\/18\/2018\/01\/gdpr-eu-flag.png?resize=1140%2C647&ssl=1\")
<\/p>\n","protected":false},"excerpt":{"rendered":"
European Union lawmakers proposed a comprehensive update to the bloc\u2019s data protection and privacy rules in 2012.\u00a0WTF is GDPR? This text has been taken from The Tech Crunch here.\u00a0 This is yet another condensed explanation on the key point of GDPR. The aim of this comment is to clarify (once more) the key points important […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"jetpack-portfolio-type":[87],"jetpack-portfolio-tag":[82,84,95,121],"class_list":{"0":"post-1132","1":"jetpack-portfolio","2":"type-jetpack-portfolio","3":"status-publish","4":"format-standard","6":"jetpack-portfolio-type-compliance","7":"jetpack-portfolio-tag-82","8":"jetpack-portfolio-tag-america","9":"jetpack-portfolio-tag-gdpr","10":"jetpack-portfolio-tag-tech-crucnch","11":"czr-hentry"},"jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/jetpack-portfolio\/1132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/jetpack-portfolio"}],"about":[{"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/types\/jetpack-portfolio"}],"author":[{"embeddable":true,"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/comments?post=1132"}],"version-history":[{"count":2,"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/jetpack-portfolio\/1132\/revisions"}],"predecessor-version":[{"id":1317,"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/jetpack-portfolio\/1132\/revisions\/1317"}],"wp:attachment":[{"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/media?parent=1132"}],"wp:term":[{"taxonomy":"jetpack-portfolio-type","embeddable":true,"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/jetpack-portfolio-type?post=1132"},{"taxonomy":"jetpack-portfolio-tag","embeddable":true,"href":"https:\/\/dbj.systems\/kb\/wp-json\/wp\/v2\/jetpack-portfolio-tag?post=1132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}