How GDPR 24/7 Compliance Platform Provides  GDPR Continuity  

How GDPR 24/7 Compliance Platform Provides  GDPR Continuity  


 

 

How GDPR 24/7 Compliance Platform Provides  GDPR Continuity  

 

Just when you thought your GDPR compliance journey was on track, your compliance manager hands in their notice and you have one month to find a replacement. The options are:

a) panic or

b) rest assured that the transition to a new manager will be smooth.

But what would be the best route to ensuring no work history or data files are lost in the process of your compliance manager leaving the scene? How can you guarantee that what you’ve accomplished to date remains in tact?

The answer to a straightforward onward journey is GDPR software. Why? Because it keeps all your compliance efforts in one place and every step along your compliance journey is recorded.

With dedicated compliance software a change in management becomes a case of giving your new manager access to the software and allowing him or her the time to go through your company’s log of compliance tasks.

How exactly does compliance software make it easy?

 

  1. Proof in one place

Compliance software records an audit of your compliance journey, so a new manager will be able to view the status of all your compliance efforts and therefore know exactly what has been done and what still needs to be done to become or remain compliant.

 

  1. Data mapping

Your data processing activities are recorded within the software so a new manager can check how personal data flows through your company and where your potential data protection risks lie. With this information he or she will be able to understand and manage the data protection tasks going forward.

 

  1. Employee training

The status of each employee’s training status is easily viewed online so there can be no confusion about the training employees have completed or what they still need to do.

 

  1. Data breaches

All security incidents are logged on the software, and it’s easy for anyone with access to the log to find out what happened, when a response was sent, and if or when the breach was reported to the authorities.

 

  1. Subject access requests

Compliance software logs all SARs on your system along with the processing status of each one. Your new manager will therefore be able to see whether data subjects have asked to have their personal information changed or erased altogether and if this has been actioned yet.

 

  1. Governance material

Your privacy statements are logged and even generated (if you want them to be) by compliance software, so your new manager will be able to view all governance and make changes to the documents before publishing them again.

Personally I can’t imagine how a new compliance manager would cope without the comprehensive web of information held by compliance software. Taking over with compliance software in place would mean that knowledge transfer would happen automatically, ie all personal data and systems would be on the table or rather, in the cloud, right from the start.

You can try GDPR 24/7 compliance software before you take it on. GDPR 24/7  has a 14-day free trial that shows you all its features.

 

TRI IT NOW
What is the APEC Privacy Framework and Who has signed up to it?

What is the APEC Privacy Framework and Who has signed up to it?

What is the APEC Privacy Framework and the Cross-Border Privacy Rules? And Who has signed up to it 

 

 

The APEC Privacy Framework is a set of principles and implementation requirements that were created in order to be an enabler to effective privacy protections that avoid barriers to information flows which are so vital in the global data exchanges , and ensure ongoing  trade and economic growth in the Asia Pacific Economic Cooperation region of 27 countries. The APEC Privacy Framework set in motion the process of creating the APEC Cross-Border Privacy Rules system.

 

The CBPR ( Cross-Border Privacy Rules system.) system has now been formally joined by the United States, Canada, Japan and Mexico, with more nations soon to follow. The CBPR program is comparable  to the EU-U.S. Privacy Shield in that they both provide a means for self-assessment, compliance review, recognition/acceptance and dispute resolution/enforcement. Both systems require the designation by each country of a data protection authority (the U.S. enforcement authority is the Federal Trade Commission).

 

Unlike the GDPR, which is a directly pertinent  regulation, the CBPR system does not replace or alter   a members country’s domestic laws and regulations. Where there are no evidence of  applicable domestic privacy protection requirements in a country, the CBPR system is intended to provide a minimum level of data protection.

 

The privacy enforcement authorities of a country that takes part in the system should have the ability to take enforcement actions under applicable domestic laws and regulations that have the effect of protecting personal information consistent with the CBPR program requirements. 

 

As trade and cross border data agreements  exponentially grow global organisations cannot simply rely on being compliant on local privacy laws, Privacy compliance must now be thought of as a global umbrella or compliance with many regional and country laws nestling beneath the umbrella.

 

Relentless Global Privacy Services  helps clients meet the tough world of privacy regulations

 

 

Lets take a deep dive into the framework and how it compares to the GDPR

 

 

 

APEC Privacy Framework (or CBPRs)

GDPR

Purpose To develop effective privacy protections that avoid barriers to information flows, and ensure continued trade, and economic growth in the APEC region. To enable to free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Material scope Applies to persons or organizations in the public and private sectors who control the collection, holding, processing, use, transfer or disclosure of personal information. Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
Territorial scope Applies to the same extent that the laws of each member country apply. Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.
Personal information Personal information means any information about an identified or identifiable individual. (same) Personal data means any information relating to an identified or identifiable natural person.
Data controller Personal information controller means a person or organization who controls the collection, holding, processing or use of personal information. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processors APEC Privacy Framework and CBPRs do not apply to processors, only controllers. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Publicly available information The APEC Privacy Framework has limited application to publicly available information. Notice and choice requirements, in particular, often are superfluous where the information is already publicly available, and the personal information controller does not collect the information directly from the individual concerned. The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Permitted member country variations (derogations) Economies implementing the framework at a domestic level may adopt suitable exceptions to scope that suit their particular domestic circumstances. 

The framework is not intended to impede governmental activities authorized by law when taken to protect national security, public safety, national sovereignty or other public policy.

Member States have discretion in a number of subject areas including: Supervisory Authority; Sanctions; Demonstrating Compliance; Data Protection Officers; Archiving and Research; Third Country Transfers; Sensitive personal data and exceptions; Criminal Convictions; Rights and Remedies; Processing of Children’s Personal Data by Online Services; Freedom of Expression in the Media; Processing of Data; Restrictions; Rules surrounding Churches and Religious Associations.

Exceptions to general GDPR applicability also exist for national security, public safety, and police powers.

Preventing harm principle Recognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information. Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

Notice

Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information. All reasonably practicable steps shall be taken to ensure that such notice is provided either before or at the time of collection of personal information. Otherwise, such notice should be provided as soon after as is practicable.

It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information.

Where personal information is not obtained directly from the individual, but from a third party, it may not be practicable to give notice at or before the time of collection of the information.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.

Collection limitation The collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Use limitation Personal information collected should be used only to fulfill the purposes of collection and other compatible or related purposes except: a) with the consent of the individual whose personal information is collected; b) when necessary to provide a service or product requested by the individual; or, c) by the authority of law and other legal instruments, proclamations and pronouncements of legal effect Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Choice and consent Where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. It may not be appropriate for personal information controllers to provide these mechanisms when collecting publicly available information. Permits the use of health-related personal data with explicit consent from the subject, unless reliance on consent is prohibited by EU or member state law. “Explicit consent” must meet a higher standard than consent for the processing of other forms of personal data — an individual must be clearly informed of the use of their data and take an affirmative action to demonstrate their consent.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data integrity Personal information should be accurate, complete and kept up-to-date to the extent necessary for the purposes of use. Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Security safeguards Personal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modification or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Access and correction Individuals should be able to obtain from the personal information controller confirmation of whether or not the personal information controller holds personal information about them, and have access to information held about them, challenge the accuracy of information relating to them, have the information rectified, completed, amended or deleted. All of the above rights subject to a balancing of of the burden or expense of compliance, legal or security reasons, the protection of commercial information, the protection of the privacy rights of persons other than the affected individual. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and to access to the personal data and information about the processing including: what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject).
Accountability A personal information controller should be accountable for complying with measures that give effect to the Principles stated above. The controller shall be responsible for, and be able to demonstrate compliance with, the principles of the processing of personal data under the GDPR.
Transfer of personal data to another person or country When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles. When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data.

Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by a binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.

Breach definition There is no specified definition of breach under the APEC Privacy Framework or CBPRs. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Breach notification The APEC Privacy Framework does not directly address breach, but the principles support notification.

The Cross-Border Privacy Rules (CBPR) to which APEC economies must bind themselves to join, require that member countries impose rules requiring that data controllers contractually protect data by requiring notification to themselves by data processors, agents, contractors or other service providers.

The CBPRs do not require that member countries impose mandatory notification of breach to privacy enforcement authorities or data subjects.

The GDPR requires assessment of data incidents and prompt notification of breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons.
Breach mitigation (see above)

The APEC Privacy Framework requires that appropriate safeguards.

The CBPRs require the applicant country to describe how it enforces a requirement to have technical (authentication and access control, encryption, firewalls and intrusion detection, audit logging, monitoring, etc.) and administrative (training, policies, enforcement, etc.)

Safeguards.

Notification to data subjects is not required if:

the controller has implemented appropriate technical and organisational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or 

the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or

it would involve disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

Comparing South Korea Personal Information Protection Act to GDPR

Comparing South Korea Personal Information Protection Act to GDPR

Comparing South Korea Personal Information Protection Act to GDPR

 

South Korea’s substantial Personal Information Protection Act ( PIPA) was enacted on Sept. 30, 2011.  PIPA is known for being one of the world’s strictest privacy administrations. 

PIPA has many similarities to the GDPR, it protects privacy rights from the viewpoint of the data subject and it is wide ranging, applying to most organizations, even government entities. 

It is not only applicable and robust, but its penalties — which include criminal and regulatory fines and even imprisonment — are vigorously  enforced.

 

On June 30 of last year, South Korea became the fifth member to join the APEC Cross Border Privacy Rules, joining the U.S., Japan, Canada and Mexico.

As trade and cross border data agreements  exponentially grow global organisations cannot simply rely on being compliant on local privacy laws, Privacy compliance must now be thought of as a global umbrella or compliance with many regional and country laws nestling beneath the umbrella.

Relentless Global Privacy Services  helps clients meet the tough world of privacy regulations

Find out more about our comprehensive South Korea Data Privacy Service

Find Out More

 

The below table compares aspects of the GDPR directly with South Korea’s PIPA.

 

 

South Korea’s Personal Information Protection Act

GDPR

Purpose

To provide for the processing of the personal information for the purpose of enhancing the right and interest of citizens, and further realizing the dignity and value of the individuals by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information. To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
Material Scope Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties. Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
Territorial Scope Although the territorial scope is not specified in the law, the standard for enforcement of South Korean data protection law is similar to the GDPR in that companies established in South Korea are certainly subject the law, and foreign companies that target South Korean users are likely also within the ambit of enforcement action. Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.
Personal Data “Personal information” means information pertaining to any living person that makes it possible to identify such individual by their name and resident registration number, image, etc. (including the information which, if not by itself, makes it possible to identify any specific individual if combined with other information). Personal data means any information relating to an identified or identifiable natural person.
Sensitive Personal Data Sensitive personal information pertains to ideology, belief, joining and withdrawing from trade unions or political parties, political opinion, health, sexual life, criminal history dat, and DNA information acquired from genetic examination, as well as other personal information that, if processed, is likely to infringe the privacy of data subjects. Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data Controller The act does not distinguish between controllers and processors. Both a controller and a processor are considered a “Personal information processor.” Means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processors “Personal information processor” means a public institution, legal person, organization, individual, etc. that processes directly or indirectly personal information to operate personal information files for official or business purposes. Because the act does not distinguish between controllers and processors, it is important to note that processors in South Korea are subject to many requirements that are reserved for controllers under the GDPR. Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Publicly Available Information There is no specific exception to applicability that relates to publicly available information. The processing of publicly available information may be permitted for certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Preventing Harm Principle The law provides that state and local governments shall devise policies to prevent harmful consequences of beyond-purpose collection; abuse and misuse of personal information; and enhance the dignity of human beings and individual privacy. Preventing harm is also expressed as a reason for certain personal information to be classified as sensitive. Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Lawfulness, Fairness and Transparency The personal information processor shall make the personal information processing purposes explicit and specified and shall collect minimum personal information lawfully and fairly to the extent necessary for such purposes. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose Limitation An information processor should use personal information only for the purposes specified to the data subject in any applicable consent. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data Minimization A personal information processor should collect only the minimum amount of personal information necessary for the purposes specified to the data subject. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy The personal information processor shall ensure the personal information is accurate, complete and up-to-date to the extent necessary to attain the personal information processing purposes. Personal data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay. 

Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Storage Limitation The personal information processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible. Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this regulation in order to safeguard the rights and freedoms of the data subject.

Notice

The personal information processor shall make public its privacy policy and other personal information processing matters. The privacy policy must disclose: 

· The purpose of personal information procession. 

· The period for processing and retention of the personal information.

· Any provision of the personal information to a third party (if applicable).

· Any consignment of personal information processing (if applicable). 

· The rights and obligations of data subjects and how to exercise the rights. 

· Other matters in relation to personal information processing as stated in the Presidential Decree.

Articles 12, 13, and 14 address the requirement that a data controller provide notice to data subjects of processing that is concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge. 

The notice must contain: 

· Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer 

· Purpose of the processing and the legal basis for the processing 

· The legitimate interests of the controller or third party, where applicable 

· Categories of personal data 

· Any recipient or categories of recipients of the personal data 

· Details of transfers to third country and safeguards 

· Retention period or criteria used to determine the retention period 

· The existence of each of data subject’s rights 

· The right to withdraw consent at any time, where relevant 

· The right to lodge a complaint with a supervisory authority 

· The source the personal data originates from and whether it came from publicly accessible sources 

· Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data 

· The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

Choice and Consent The law specifies that when obtaining consent from the data subjections, the personal information processor shall notify the data subjects of the fact by separating the matters requiring consent and helping the data subjects to recognize it explicitly. When obtaining consent for processing, the personal information requiring consent should be segregated from the personal information not requiring consent. 

The personal information processor shall not deny goods and services on the basis that the data subject did not consent to certain processing (such as agreeing to receive solicitations).

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 

If the data subject’s consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Integrity and Confidentiality The act imposes detailed technical and administrative measures for the security of personal information. The personal information processor shall take such technical, managerial and physical measures as internal management plan and preservation of log-on records, etc., necessary to ensure the safety so that personal information may not be lost, stolen, leaked, altered or damaged. Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Accountability The personal information processor must appoint a privacy officer. 

The Minister of Public Administration and Security has the right to request goods and documents that demonstrate compliance with the law and to enter the premises and inspect if the personal information processor fails to furnish the materials.

The controller must appoint a data protection officer. 

The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses.

Access and Correction The data subject has the right to demand access to and suspend processing of, and to make correction, deletion and destruction of their personal information. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and to access the personal data and information about the processing, including what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject).
Data Portability Data subjects may demand access to data, with some exceptions. The law does not specify that access must be in the form of an export or other form of portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Transfer of Personal Data to Another Person or country A data protection agreement must be in place between the personal information processor in the context of any outsourcing. This requirement applies also to international personal information transfers. 

The personal information processor must also inform data subjects when the personal information processor provides personal information to a third party overseas, and the personal information processor shall not enter into a contract for unlawful cross-border transfer when it obtains consent.

When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data. Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.
Breach Definition The law does not define a breach, but refers to it as an event where personal information has been breached. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
Breach Notification The personal information processor must notify the aggrieved data subjects without delay when it becomes aware that personal information has been breached. 

Breaches that affect more than a certain number of individuals as set forth in a presidential decree must be disclosed to the data protection authority.

The GDPR requires assessment of data incidents and prompt notification of the breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons.
Breach Mitigation There’s no specific provision that allows for a harm or risk test or application of mitigation to avoid the requirement to notify of a breach, but the personal information processor is obligated to take countermeasures to minimize damage. Notification to data subjects is not required if: 

· The controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular, those that render the data unintelligible to any person who is not authorized to access it, such as encryption; or 

· The controller has taken subsequent measures that ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialize; or 

· It would involve a disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

 

 

Five Examples for Email Marketers in using Legitimate Interest

Five Examples for Email Marketers in using Legitimate Interest

Five Examples for Email Marketers in using Legitimate Interest

 

When GDPR came into force on May 25th 2018, some of the methods used by businesses to gain data-processing consent were outlawed. Previously, it was possible to gain opt-out consent from clients when they created an account. This type of consent involved either checking a box to avoid being on a mailing list or unchecking a pre-checked box. Consent was often given passively, using these slightly duplicitous methods.

 

Under GDPR, customers must now check an unambiguous box to opt in before they can be added to a mailing list. Predictably, this form of proactive consent is less often surrendered.

 

Customer consent is one of six legal justifications for processing personal data. The other five are contract, legal obligation, legitimate interest, vital interests and public tasks. Of these, legitimate interest (LI) offers a useful alternative to consent as a basis for processing data. It allows marketers to contact customers whose details they have secured during a sale or negotiations for a possible sale. This type of implied consent is known as “soft opt-in”.

 

Legitimate Interest Assessment

 

Legitimate Interest  provides a lawful basis for processing data without consent, but it must still satisfy GDPR criteria. To be valid, it first has to pass a three-part legitimate interest assessment (LIA):

 

  • Purpose; are you pursuing a real legitimate interest? This might include direct marketing to further the interests of your company or a third party, saving essential client or staff data, aiding IT security or fraud prevention.
  • Necessity; can data processing be avoided while still achieving the desired purpose?
  • Balancing test; do the data subject’s interests override the business’s interests (i.e. will the latter adversely affect the former)

 

Legitimate Interest applies to B2B clients as well as B2C, though businesses are expected to be more empathetic and robust in the face of data use. Special consideration must be given to the impact of data processing on individuals.

 

Can You Email Opted-Out Customers by Claiming Legitimate Interest?

 

In short; no. Direct marketing under the legitimate interest umbrella should comply with the Privacy and Electronic Communications Regulations (PECR). This means it must have been solicited by the data subject. If this isn’t the case, direct marketing can only be conveyed via post, live phone calls without TPS/CTPS registration or objection, or emails and text messages to soft opt-in customers or business contacts. You cannot use legitimate interest as a default, do-it-all basis for data processing.

 

Data Collection and Data Mapping

 

Marketers can send out promotional emails to opted-in customers. This might be done through agencies or email service providers such as MailChimp, GetResponse, SparkPost and others. The type of data collected and processed from individuals includes the following:

  • Personal ID; name, address, telephone, email addresses, social network addresses, user IDs, consent or non-consent history for receiving marketing material.
  • Further personal profiling; details about family, lifestyle, education, career, pets, car ownership, property ownership, tastes.
  • Previous interaction with the company including transactions, communications, complaints.

 

It’s imperative for businesses to manage data sprawl, to comply with EU regulations and the UK’s DPA (Data Protection Act). A data mapping tool is an invaluable aid in achieving this. Once you can see how data passes through your business, you’ll also see what consent has been obtained (or not), avoid data breaches and make your database compliant.

 

Five Ways Legitimate Interest is Used by Marketers

 

Legitimate interest can be justified in numerous ways to engage new customers, reactivate dormant users or to otherwise benefit the business. Here are five such ways:

 

1. Direct Marketing

With some notable caveats, legitimate interest can be used for direct marketing purposes in place of consent. It’s particularly useful in conjunction with soft opt-ins. Meticulous records should be kept so that legal compliance can be demonstrated. Especially with B2C data, legitimate-interest assessments (LIAs) should show arguments against data processing as well as for.

 

2. Personalisation

The personalisation of a website so that it exploits an individual’s data is an obvious marketing tactic, but it can be justified through legitimate interest. An example of this is when companies offer similar or complementary items for sale based on a customer’s browsing or buying history.

 

3. Market Research

Businesses may collect and process data without consent for market research purposes, including trend analysis or a study of marketing effectiveness.

 

4. Suppression

Suppression refers to a customer’s opposition to receiving direct marketing or having details kept on file, but a limited amount of data must be stored to ensure no emails are sent and that wishes are obeyed.

 

5. Snail Mail

Although you cannot send marketing emails to opted-out individuals nor try to entice them into opting back in (some large companies have been fined for doing this), you can try to re-engage customers by sending materials through regular post.

 

In Summary

An acid test for LI is always this; what does the customer expect to see or receive? That’s a reliable starting point. For GDPR compliance and efficient, lawful marketing, get your house in order with data mapping!

 

Considerations US Companies Should Take When Processing European Data?

Considerations US Companies Should Take When Processing European Data?

Considerations US Companies Should Take When Processing European Data?

 

If you are a US company that directly processes the personal data of EU customers, you are considered a data controller under GDPR. But what if you are an American B2B company, who handles that data on behalf of an EU business? That makes you a data processor rather than a controller. You will have less legal duty than the controller, but must still comply with GDPR by law.

 

Supposing your EU client abruptly asks for your GDPR compliance? You will need to be ready or risk losing business.

 

US companies have no GDPR equivalent at a federal level, but must observe EU law if they process EU personal data. This avoids fines and gives preparation for the US federal laws that will surely arrive soon. The world is waking up to data protection. What can a US data processor do to protect itself against GDPR breaches?

 

Data Mapping

 

Few tasks are more important to GDPR compliance than identifying where you store all your data. A major risk of non-compliance occurs when companies lose control of their data and lose sight of exactly where it resides. You need data mapping to combat “data sprawl”. As a US company, you must know what EU data you process and all the places you store it. The worst thing any company can do is bury its head in the sand over this.

 

Do You Share EU Data with Another US Company?

 

Under GDPR, a processor that handles data for another processor is a “sub-processor”. In this blog post, this refers to a US company that processes EU data on behalf of another US company, which in turn, processes data for an EU controller.

In such situations, the sub-processor must also be GDPR-compliant. A key principle of GDPR is the complete lack of loopholes: every party carries legal responsibility. A contract should exist between processors and sub-processors that mirrors the responsibilities between controller and processor.

 

Can You Quickly Isolate Personal Data?

 

Another vital part of GDPR compliance is the ability to quickly access and isolate data. Data subjects have various access rights, including the right of erasure (aka “the right to be forgotten”). In that instance, your company needs to be able to efficiently locate all data held on the subject and cut it clean from the records. If you are a small to mid-sized company—bearing in mind that GDPR applies to all business sizes—GDPR compliance software can help you with this, as well as with data mapping.

 

Appointing an EU Representative

 

A US company without any physical presence in the EU (including legal entities and subsidiaries), needs an EU representative under Article 27 of the GDPR. This is not the same role as a DPO (data protection officer). The latter focuses on internal compliance, whereas an EU representative acts as an intermediary between a non-EU company and EU data authorities.

An EU representative has to be based in the European Union for ease of communication. One possible answer is to assign an EU rep through GDPR consultants Relentless Privacy and Compliance Services. An alternative solution for companies with the resources is to set up a subsidiary in the EU, which would avoid the need for an EU representative.

 

Think About Joining the EU-US Privacy Shield

 

Introduced in 2016, the EU-US Privacy Shield is an optional framework for the transferal of personal data between the EU and the US. While the Privacy Shield is less severe than GDPR, it is subject to yearly revision and provides a useful roadmap towards compliance.

 

Act Quickly on Data Breaches

 

Data controllers must inform authorities as soon as they find a data breach. A B2B US data processor has the same obligation to its EU controller under GDPR. Data breach management is an important part of any GDPR solution and is a feature of GDPR 365 compliance software. This responsibility to report must be contractually agreed between companies sharing data.

 

Contracts Between Controllers and Processors

 

A written contract must exist under GDPR between controllers and processors. The same is true between processors and sub-processors. Processors cannot act without the approval of the controller. For example, they can only engage a sub-processor with the controller’s consent.

 

Get Ready to Prove Yourself

 

Under GDPR, EU companies must be able to prove compliance. There must at least be a clear path towards it to avoid fines after a breach. Whether regulators act or how harsh they are depends on the company’s resources and the extent of its offense. Thus, violations by Google resulted in a €50 million fine.

 

A US company processing EU data becomes liable for GDPR compliance. It’s like the domino effect. Can you show compliance to EU clients and prove you aren’t a chink in their GDPR armor? You must have the necessary system and security in place alongside trained staff that are familiar with GDPR needs. Your employees should sign confidentiality agreements that highlight their obligations.

 

Now’s the Time

 

Studies show that US companies have been slower to comply with GDPR than their European counterparts. Distance alone makes that no surprise. And yet it’s vital for US businesses that process EU data to quickly get on board with GDPR. This not only preserves their existing business, but readies them for the federal laws likely to come. That’s not to mention more demanding state laws, such as those on the horizon in California.

 

If you are a US data processor that is yet to catch up to GDPR, get started now!

Relentless GDPR 24/7  The Number One  GDPR  Portal

Pricing to suit all budgets and all company sizes

GDPR Compliance: Performing a Gap Analysis Your Choices

GDPR Compliance: Performing a Gap Analysis Your Choices

GDPR Compliance: Performing a Gap Analysis Your Choices

 

GDPR compliance is no small matter for any company, but the way you go about it makes all the difference. With the right tools at your disposal, it can be manageable. A GDPR gap analysis shows you where you are on the road to compliance compared to where you should be. It helps you patch up risks. It’s useful to do at any stage, whether you’re just waking up to GDPR or have been tackling it from the outset.

There are several ways to go about a GDPR gap analysis, so where do you start? This article looks at areas covered by an analysis and what services or tools you can use to perform one. Let’s start with the first step of a GDPR compliance checklist

 

Changes in Data Protection

 

The GDPR sets out seven key principles. These are nominally similar to those that existed before under the EU 1995 Data Protection Directive (DPD). But there were notable changes.

 

Among the changes that GDPR brought are these:

 

  • Data processing consent must be explicitly given. This outlaws the use of opt-out boxes or pre-ticked opt-in boxes on consent forms.
  • Data controllers are more accountable and must be able to show compliance.
  • Data processors are legally accountable for data breaches under GDPR.
  • Wider definition of personal data to keep pace with technology.
  • Enhanced rights for data subjects (e.g. data erasure).
  • Wider territorial scope (i.e. applies to anyone handling data of EU citizens).
  • Harsher sanctions possible against those in breach of GDPR.

 

Even if your company complied with previous DPD regulations, the GDPR creates more work. A gap analysis reveals the full extent of the work that needs doing.

 

The Scope of a GDPR Gap Analysis

 

The scope of a GDPR gap analysis may vary depending on who conducts it and for whom, but it is often comprehensive. If you’re a long way from compliance, a lighter gap analysis may be in order so you can quickly make the most pressing changes. Some of the key areas a GDPR gap analysis might examine are below.

  • IT governance, data protection and security: checking that best practices are in place throughout the business for management of personal data. This includes policies and procedures, accountability, reporting mechanisms and performance assessments.
  • Risk management: ensuring that companies conduct regular risk assessments and that the necessary regime is in place for effective risk management. Making sure assessment of risk to data subjects in processing their data takes place.
  • Data protection officer readiness: deciding whether a DPO is necessary, helping appoint a DPO.
  • Privacy By design and default: making sure staff know their roles and responsibilities and ensuring the company can readily prove compliance. Using GDPR for competitive advantage and putting infrastructure in place that allows that.
  • Scope of compliance: evaluation of the breadth of a company’s necessary compliance. This takes into account all data processing, data mapping and identifies cross-border processing, which often carries extra risk.
  • Personal information management system (PIMS): examining a company’s system of documentation and ensuring it’s in scale with the size and complexity of the business. Adjusting or streamlining it to align with GDPR needs.
  • Information security management system (ISMS): making sure the company’s ISMS fulfills its role of minimizing risk while efficiently managing sensitive data.
  • Rights of data subjects: facilitating the various rights of natural persons (e.g. access rights, data erasure, portability, rectification, right to know name of DPO). Underlining the burden of proof that lies with data controllers in demonstrating grounds to override these rights.
  • Data breach readiness and response: installing policies and procedures that enable fast reaction to data breaches and prompt reporting of them.

 

GDPR Gap Analysis: Who & How

 

There are different ways to perform a GDPR gap analysis. You can use a consultancy firm, employ someone in-house, or use GDPR software to do most of the work for you. The latter is viable for small to mid-sized businesses (SMEs).

 

GDPR Consultancy

 

GDPR consultancy firms do a thorough job in assessing GDPR compliance. Yet, it can be a drawn-out process and is often expensive. A small business can pay upwards of £2,500 for such a service. The fee rises to £4,000 or more for medium-sized enterprises. The report issued by a consultant will help a company become compliant, but it can soon become outdated after changes within the business. GDPR compliance is a constant need.

 

Internal Gap Analysis

 

Companies can run their own internal gap analyses using teams of technical or legal professionals if they have the resources. Some companies use a GDPR compliance checklist, which asks a long series of questions about all aspects of data handling and protection (e.g. policies and procedure, roles and responsibility, record-keeping, legal and regulatory). Checking compliance is a time-consuming project.

 

GDPR Software

 

GDPR software offers a neat solution to analysing compliance for SMEs. Because everything is in the cloud, collaborative efforts towards compliance are easier. Changes occur in real time. It’s affordable, too. This is what GDPR software can do:

  • Data Mapping: locating and tracking the flow of data
  • Data Protection Impact Assessment (DPIA): assesses the risk of data processing to subjects
  • Generates GDPR compliant privacy policies and contracts
  • Subject access management: creates a mechanism for handling SARs
  • Data breach management: helps manage and report data breaches
  • Subject consent management: assists in all aspects of gaining, recording and renewing consent
  • Compliance assessment: generates a data protection programme tailored to your company
  • DPO features: helps responsible parties implement and track compliance

 

Close the Gap

 

If you run a small to mid-sized business, GDPR software offers an easy way of achieving compliance. Bigger businesses with greater resources might not balk at the cost of consultancy or running an in-house team. Whatever you do, act now and close the GDPR gap! Try our FREE 14 day Trial now 

 

 

Achieving GDPR Compliance  for Non- EU Organisations Explained

Achieving GDPR Compliance for Non- EU Organisations Explained

GDPR is a Challenge for any International Organisation

 

As  25th May 2018 was coming to a close  the EDPB (European Data Protection Board) published It’s Guidance  on the GDPR Article 3 (territorial scope) The  main objective was  to clarify when the GDPR regulation applies to your business even if your presence on the EU market is limited or negligible

 

The GDPR regulation applies to your business in two cases:

 

  1. when a controller or a processor is “established” in the EU and the processing takes place in connection with activities of this establishment – rule of “EU Establishment”, or
  2. a controller is not established in the EU but uses personal data of individuals located in the EU while (i) offering them goods or services, or (ii) monitoring their behavior in the EU – rule of “Targeting”.   

 

EU Establishment Explained

 

The term “establishment” is understood very well and does not require the formal registration of an entity in the EU. Thus, apart from operational branches and any subsidiaries of a non-EU entity, the term “establishment” is also included in any fixed  arrangement that an organisation may have within one of the EU member states. In one example even locating just one employee within an EU member state to facilitate business can alter the application of the GDPR to that organisation. The key area of focus is that there must be a connection between the data processing activities of the “establishment”.  Therefore the location of where the data processing takes place whether inside or outside of the European Union does not matter. Mapping your organisations operations and data flows can help determine the outcome.

 

Let’s look at some examples in practice?

 

GDPR will apply to

       EXAMPLES

  • organisations which are located within the EU;
  • International organisation having a branch and office located in Amsterdam;
  • organisations that has a representative positioned in the EU in order to facilitate EU business operations;
  • Brazilian based gaming platform  operator which placed an marketing employee in Paris in order to strategize  marketing efforts;
  • organisations located in the EU even if they are  not providing services to the EU market;
  • organisation located in Belgium but providing a taxi booking application only to customers in Japan, Singapore and Thailand;
  • Manufacturing  organisation whose headquarters are  in Stockholm that has all its processing operations in Tokyo.

 

GDPR will NOT be applicable to  

EXAMPLES

  • International non-EU companies which only have websites available from the EU;                                                                                                   
  • a travel company in Australia offering package holidays in English, Spanish and German if it has no stable arrangements in the EU and is not targeting an EU audience;
  • non-EU companies who are classed as (controllers) under the GDPR using EU data processors,
  • Argentinian  retail company (controller) signs a contract covering the processing of its clients’ personal data with a data processor established in Ireland.

Targeting Rule explained

 

Independently, the GDPR regulation applies to the processing of personal data of all data subjects who are located in the EU (no matter what their citizenship may be classified as) if an International  non-EU controller or processor proposes to specifically target individuals in one of the 28 EU Member States. This relates to (i) direct or indirect offering of goods or services and (ii) whenever personal data of individuals in the EU are monitored, inspected or profiled for the purposes of behavioral advertisement, geo-localization or online tracking (e.g. cookies, pixels etc).

 

What does it mean in practice?

 

GDPR will be apply to

EXAMPLES

  • International non EU organisations that offer delivery to one of the 28 EU Member States,                                                                                                                                                                                      
  • a online eCommerce site  managed and Located in Mexico offering services of creating and delivering modern acrylic house number signs to customers in Austria and Spain;
  • organisations which launch advertising campaigns directed at an EU audience,
  • US start-up, without any presence in any of the EU member states, providing a travel  guide mobile application for Amsterdam, Paris and Munich for the purpose of delivering target ads for places of interest, restaurants and hotels;

 

GDPR will NOT be applicable to

EXAMPLES

  • International non-EU companies which offer services not directed at an EU market,
  • US local news mobile app which may be downloaded and installed by a US citizen visiting Europe; or a bank in Singapore that opens an account for a UK citizen;
  • non-EU entities that hire EU nationals
  • a private company based in the Bahamas  that processes personal data of its French and Italian employees.

Wrap up

Although the Guidance indeed sheds light on the application of the GDPR, there still remains much uncertainty in a number of real life cases, e.g., Therefore, we always recommend a full risk based assessment for International  non-EU based companies when processing data of individuals located in the EU are monitored, inspected or profiled for the purposes of behavioural advertisement, Geo-localisation or online tracking (e.g. cookies, pixels etc).

The Relentless team deliver a broad range of GDPR services to International Organisations. We also cover data protection laws across the globe to ensure global compliance to international data processing law.

Relentless GDPR   24/7 Platform is now launched. GDPR 24/7 is a comprehensive portal with 11 modules  to provide your organisation to achieve and maintain  compliance. Try it FREE for 14 Days

Relentless GDPR 24/7 The New Platform for all GDPR Compliance Activities

Relentless GDPR 24/7 The New Platform for all GDPR Compliance Activities

Relentless GDPR 24/7 is the new  Platform for all your GDPR Compliance Activities.

 

Can you believe we are now into the 2nd year of the GDPR

 

It seems like only yesterday that businesses across the European Union (EU) were working overtime in a frantic scramble for compliance with the biggest change to data protection laws in decades. Yet here we are, over  one year on  and  for some businesses, little has changed.

 

While many may have taken the basic steps to update their privacy policy and establish explicit consent as their preferred legal basis for processing personal data, many more are still left wondering whether they’re doing GDPR right. What’s more, countless others are still processing that data without a clear strategy in place for dealing with data breaches or Data Subject Access Requests (DSARs).

 

If your organisation is one of them, the good news is on the way.

 

The new GDPR 24/7/365 platform from Relentless Privacy & Compliance is on hand to help you achieve frictionless compliance with GDPR with ease. Built from the ground up with 11 modules covering all elements needed  to achieve compliance and then maintain compliance moving forwards. All modules are included in a low monthly Price Point

 

Available anywhere, at any time and on any Internet-connected device, this secure, cloud-based platform serves as your one-stop-shop for all the documents, templates, systems and strategies you need to simplify and streamline your entire GDPR  compliance process.

 

Why GDPR compliance matters now more than ever

 

 

Despite GDPR officially coming into play on May 25th, 2018, the organisations tasked with enforcing it throughout the EU -such as the UK’s Information Commissioner’s Office (ICO)- spent most of 2018 taking a fairly lenient approach to enforcement.

 

Though organisations could have been fined €20 million or 4 per cent of their annual turnover for non-compliance, we didn’t really see that kind of game-changing punishments handed out last year. Instead, those who did fall foul of GDPR were hit with fines which amounted to little more than a proverbial slap on the wrist.

 

Yet if leading data protection experts, that may have been a subtle way for the ICO and their European counterparts to offer a certain ‘grace period’ to EU organisations, effectively giving them the warning to get their act together.

 

However, as GDPR has passed its first anniversary, that grace period has come to an end and those same experts are referring to 2019 as “The Year of Enforcement.” In other words, we should well expect the gloves to come off and non-compliant businesses held accountable to the full extent of GDPR.

 

Not that this has to be such a terrifying prospect for any organisation.

 

Whether you’re a small startup or a rapidly expanding enterprise, the GDPR 24/7 portal contains everything you need to help avoid those huge fines and effortlessly manage your GDPR compliance

 

24 hours a day, 365 days a year, you’ll have access to:

Take your GDPR Compliance status into the boardroom on any device. No scrambling for documents to print off.

 

  • Customisable DSAR forms branded with your company details, making it easy to accept, organise and process Data Subject Access Requests

  • A simple, secure online case management system so that you can record all of your DSAR responses in one convenient location

  • Data mapping and visualisation tools so that you can audit, manage and streamline your entire compliance process

  • The latest expert  advice and guidance on all aspects of privacy and data protect

  • A bespoke GDPR compliance toolkit tailored to the exact, unique needs of your organisation

  • State-of-the-art automation to ensure your records of processing activities, privacy notices and other documents are always on hand and up-to-date.

  • Online DPIA process tool to manage those high risk projects.

  • Online Data Breach management process

  • Controller / processor contract generator

  • Your own logo brand inserted 

 

Plus much more.

 

 

The new GDPR 24/7/365 platform from Relentless Privacy & Compliance is now live and ready for your organisational GDPR needs. For a free demonstration or to register your interest, call Relentless on +44 (0) 121 262 4024 or contact us online today:

Priced on average 40% lower than the main competition.

Relentless GDPR 24/7 comes with a free 14 day trial. Please register below.