On July 10, 2018, the Brazilian Federal Senate approved a General Data Protection Regulation (“Lei Geral de Proteção de Dados” or “LGPD”). The bill, was largely inspired by the European General Data Protection Regulation (“GDPR”). Although several LGPD provisions were vetoed by Brazil’s president in August 2018, a December 2018 executive order reinstated many of the vetoed provisions. Most significantly, the executive order reinstated sections establishing an agency tasked with enforcing Brazil’s data protection laws.
This alert summarises the key provisions of the bill and addresses its applicability to US-based clients.
Territorial Scope and Definition of Personal Data
In a similar way to the GDPR, the LGPD defines “personal data” as any information relating to an identified or identifiable natural person. Additionally, in order to prevent the use of personal data for discriminatory practices, the LGPD establishes additional restrictions applicable to the processing of sensitive data. Article 5, II defines “sensitive data” as any data pertaining to racial or ethnic origin, religious beliefs, political opinions, membership of syndicates or religious, philosophical or political organisations, data relating to health or sexual life, and genetic or bio-metric data when linked to a natural person.
The LGPD applies broadly to any data processing operation occurring in Brazil, regardless of the location of the entity conducting the operation or holding the data. Further, the LGPD aims to broadly protect personal data, whether obtained by electronic or physical means, or by the public or private sector.
Under the LGPD, there are situations where anonymised data may be considered to be personal data. Specifically, when the anonymisation process to which the data has been submitted is reversible by the use of “reasonable efforts”, the data will be deemed personal data and thus subject to the LGPD rules. Similarly, if anonymised data is used for the purposes of establishing behaviour profiles, the LGPD will also apply.
Consent and Rights of Data Subjects
Article 7 of the LGPD sets forth a limited number of situations where the processing of personal data is allowed. Notably, the LGPD provides that the collection, use or processing of personal data may be conditioned upon first obtaining the explicit consent of the data subject.
Further, consent must be given in writing, in a clear and separate provision from other contractual provisions, or by “any other means that demonstrate the data subject’s consent.” The data processor or controller bears the burden of proof of showing that consent was given according to the terms of the LGPD.Additionally, any generic, blanket authorisation regarding the use of personal data is expressly prohibited. Similarly, data subjects may revoke their consent at any time, making consent a less reliable basis for processing.
The LGPD confers extended rights upon data subjects. Specifically, pursuant to the LGPD, data subjects have the right to access, rectify, cancel or exclude their data. Further, data subjects may also oppose the processing of their data. The LGPD also sets forth a right to data portability, pursuant to which an individual may request a copy of his or her data in a transferable format. Individuals may then opt to transfer their data to other service providers of their choice.
Legal Bases for Processing and Transfer
Similarly to the GDPR, organisations must identify a specific legal basis for any data processing. As mentioned above, the LGPD provides several legal bases in addition to consent, some of the more significant of which include:
Fulfilment the controller’s legitimate interests, or the legitimate interests of a third party; or
For research purposes, but the personal data should be anonymised.
The LGPD also restricts cross border transfers. Companies must ensure that personal data receives adequate protection when transferred. Therefore, data transfers are allowed under a number of circumstances, including if any of the following bases are met, the specifics of which will be further developed by the regulator:
transfers to countries offering adequate protection;
transfers pursuant to specific contractual clauses for a given transfer; standard contractual clauses; and global corporate rules;
where the regulator specifically approves the transfer; or
after obtaining the specific consent of the data subject.
Data Protection Officers (DPO)
The LGPD requires companies to appoint a DPO seemingly without exception. The law also mandates that the DPO perform the following duties: accepting complaints and communications from data subjects; providing explanations and adopting measures; receiving communications from the national authority and adopting new measures; training the entity’s employees and contractors regarding best practices; and carrying out other duties as determined by the controller or set forth in complementary rules. Unlike in the GDPR, the DPO does not have to be a natural person and can be performed by a third party, which means that the DPO role may be outsourced to a third party legal entity or individual. Therefore, entities such as companies or working groups can fulfil the DPO’s responsibilities.
Civil Liability and Administrative Sanctions
Pursuant to the LGPD, the processor and the controller may be held jointly and severally liable for any damage resulting from a violation of the terms of the LGPD. The processor may also be held liable for failure to comply with the controller’s clear and legal instructions.
In addition to civil liability, failure to comply with the LGPD may also result in administrative penalties. Article 52 of the LGPD sets forth a number of penalties, which include warnings, fines, suspension or even prohibition of the activity related to the data processing. Fines are calculated based on a company’s annual net revenue, and are limited to a total amount of fifty million Brazilian reais (R$ 50,000,000), nearly thirteen million dollars (US$ 13,000,000). It must be noted that the fines are applied separately to each violation, resulting in a significant risk to data controllers and processors in the event of non-compliance.
The National Data Protection Authority
Article 55 of the LGPD establishes the creation of an independent federal agency named Autoridade Nacional de Proteção de Dados (“ANPD”). The ANPD will be responsible for the regulation of all matters related to data protection and for monitoring and enforcing the LGPD. Although initially vetoed by the Brazilian President, the ANPD was reinstated by executive order in December 2018. However, in order to remain effective, that executive order must be converted into law by the Brazilian congress in 2019. The ANPD does not have the power to audit companies, but may request information pursuant to an investigation.
The LGPD will come into effect 24 months following the original publication of the law.Therefore, enforcement is now set to begin in February 2020. Accordingly, US-based clients with operations in Brazil must plan to comply with the new regulation. Initial compliance steps include:
Identify to which data the LGPD applies;
Establish and document legal bases for processing;
Review data subject rights and establish processes for meeting those rights, including data subject requests;
Establish and document legal bases for international data transfers; and
Appoint a data protection officer.
Relentless Global Privacy Services have you covered
Faced with the challenge of appointing a Data Protection Officer (DPO), many businesses’ first thought is to look internally, handling data protection responsibilities to an existing employee. Yet doing so could do more harm than good to their GDPR compliance.
For some businesses, hiring a Data Protection Officer is a necessity, an essential part of the process of meeting the legal requirements laid down in the European General Data Protection Regulation (GDPR).
For others, it’s simply a worthwhile addition to the team, a means of implementing GDPR-recommended best practice and proving to customers, stakeholders, and employees alike that they’re taking data protection seriously.
Either way, the journey towards naming an official DPO can often prove to serve up just as many challenges as it looks to solve.
How do you find someone who knows your business and your data well enough to carry out the job effectively?
How you find someone who combines that first-hand knowledge of your enterprise with a deep understands of GDPR and other data protection regulation?
More importantly, how do you find someone who has all the necessary knowledge and data protection know-how, yet won’t prove to stretch your already limited resources.
For some businesses, the immediate answer seems obvious:
Appointing a Data Protection Officer From The Existing Workforce
After all, who better to trust the management of your GDPR compliance at the highest level than someone already firmly established in your organisation?
That’s before we mention the fact that adding DPO responsibilities to the workload of an existing employee can prove significantly more cost-effective than going through the whole hiring process to bring in someone from outside the business.
Yet as easy as it seems on the surface, appointing an internal DPO isn’t always so straightforward.
At Relentless Privacy & Compliance, we work with businesses throughout the UK and International regions to help them manage DPO responsibilities in a way that proves both cost-efficient and effective in ensuring frictionless compliance with GDPR right across the board.
Here, we explain why appointing a Data Protection Officer from within your organisation may prove more difficult than you might think.
First though, let’s go back to basics:
What is a Data Protection Officer? Does My Business Really Need One?
In a nutshell, a Data Protection Officer is an officially named person responsible for overseeing the GDPR compliance of the organisation appointing them. If you hire a DPO, they’ll be the person who responds to Data Subject Access Requests, who ensures that all your compliance measures are sufficient and effective and -in a worst-case scenario- who reports a data breach to the relevant governing body. In this case, that would be the Information Commissioner’s Office (ICO) for the UK . For a full list of member states DPA please see the details here
Hiring a DPO isn’t compulsory for every business or organisation. Article 37 of the GDPR state that your organisation will only be required to legally appoint a DPO if:
You’re a public authority (except for courts acting in a judicial capacity)
Your core activities require “large-scale, regular and systematic monitoring of individuals
Your core activities consist of “large-scale processing of special data categories of data or data relating to criminal convictions and offences.
What Does GDPR Say About Hiring a DPO From My Existing Workforce?
Here’s the thing:
GDPR doesn’t actually say that you can’t appoint a DPO internally.
It does, however, lay out several essential requirements for how the appointed person carries out their role. For example, the DPO must:
Be free to carry out their duties independently, with no influence from management or trustees
Carry out those duties at board level, reporting only to the highest level of seniority within the organisation
Be able to carry out their DPO duties without carrying out existing operational duties which serve as a clear conflict of interest.
It’s at this point when we start to see clear problems with appointing an internal DPO.
Avoiding a Conflict of Interest
When it comes to the responsibilities of a Data Protection Officer, a conflict of interest is likely to arise in any one of two situations:
1: When the DPO’s other responsibilities involve defining the purposes and means of processing the very same personal data that they are responsible for governing the protection of.
2: When the DPO’s other responsibilities involve putting the interests of the business before the protection of personal data.
For example, you couldn’t appoint your existing marketing manager as DPO as they are typically responsible for determining what data is processed and why, and using that data first and foremost to help the business increase sales.
Likewise, since your IT Manager, Chief Technology Officer (CTO), and IT Security Manager are also unlikely candidates for the position since their existing roles are likely to be concerned -at least at some level- with managing data security measures.
Again, this serves as a conflict of interest since the DPO is responsible for determining whether those same measures are up to scratch in terms of ensuring frictionless compliance with GDPR.
Who Can I Appoint as a DPO if I Choose to Keep The Position Internal?
Just because there are certain roles within your organisation that are clearly unsuited for taking up DPO responsibilities doesn’t necessarily mean that there won’t be someone in your team suited to the position.
Providing they are sufficiently knowledgeable on GDPR and you’re confident that no conflict of interest would occur, an existing Compliance Officer, Freedom of Information Officer, or someone else in a similar position may be able to take up the post.
Remember, however, that regardless as to what level their existing position may be at within your company structure, you must be prepared to recognise your DPO as a board-level role, reporting only to the highest level of management but without allowing that management to influence any of the decisions the DPO needs to make to ensure your business is compliant.
How Does This Apply if I Use a Third-Party to Process Data?
As a data controller (an organisation who determines the reasons why personal data is processed and means of going so), it may be that you outsource your actual processing to a third-party data processor.
This could take any number of forms, from hiring an external marketing agency to run campaigns based on your mailing lists, to using online services to process your accounts and HR practices.
Whatever the case may be, you’ll find it necessary -if you haven’t already done so- to update existing contract agreements with an addendum which outlines the rules and responsibilities of both parties when it comes to protecting that personal data in accordance with the GDPR.
In offering guidance on these contracts, the Information Commissioner’s Office says:
“Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.”
One of these ‘sufficient guarantees’ made by the processor is that -where necessary- they have appointed a DPO. This also applies to any sub-processors that are hired to carry out the processing work.
As a controller, you should be confident that an appropriate person has been appointed to the role of DPO and that any processors (and their sub-processors) are meeting GDPR requirements, as their failure to do could still result in fines for your organisation.
Outsourcing DPO Services
So far, we’ve considered the dangers inherent in appointing an existing member of your workforce to the role of Data Protection Officer, all of which has likely left you with one very important question you need answering:
If hiring internally is going to create more problems than it solves, then what’s the alternative?
The answer is simple, and is presented to you in GDPR Article 37(6)
“The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.”
In other words, there’s no need to risk a potential conflict of interest by hiring an existing employee when you can outsource the work of a DPO to a third-party.
Not only does this negate all the potential pitfalls of an internal appointment, but it also ensures that the person carrying out DPO services on your behalf can make the most of their position outside the company to remain fully impartial and independent, a key requirement of the GDPR. requirements
At Relentless Privacy & Compliance, we offer a comprehensive Data Protection Officer service to companies throughout the UK and International regions , combining our years of experience in helping global organisations to meet data protection requirements with expertise into the most effective, affordable, and practical methods of ensuring frictionless GDPR compliance.
The result is that our clients not only ensure they meet all of the necessary GDPR requirements but that they do so in a way that provides a long-term, tangible benefit to their day-to-day operation.
An important implication to CCPA California Consumer Protection Act law is that it does not limit itself to companies that are headquartered in California.
comparatively it applies to any company that carries out business in the state of California. Additionally, any business that collects personal information, which in many cases is defined in terms much broader than the terms used by GDPR, must adhere to CCPA guidelines.
The scope of personal information covers anything that can be associated with an individual from financial, medical information to internet activity, IP addresses and even inferences that are drawn from the data. Anything that can be associated with or identifies an individual could be covered.
Additionally, the CCPA defines “sale” as any transfer to a third party for consideration. This includes the transfer of information between brands operating under the same parent company. Knowing how consumer data is transferred within your organization will become very important with this law.
WHAT DOES IT MEAN FOR HOSPITALITY?
Hotels today are collecting all kinds of large volumes of personal data that could be sensitive in nature. The CCPA sheds light on how hotels now need to think about how they are managing this data, who has access to it, and who it is shared with: OTAs, car rental companies, travel excursion companies, etc. Hotels need to know where this data goes to better understand if it falls under the CCPA’s term of the sale of information.
Types of Organizations to Which the CCPA Applies:
Any for-profit organization that collects consumers’ personal data, does business in California, and satisfies at least one of the following three requirements:
Has annual gross revenues in excess of $25M
Possesses the personal information of 50k or more consumers, household or devices on an annual basis
Earns more than half of its annual revenue from selling consumers’ personal information
Individuals to Which the CCPA Applies: California residents – including both consumers and employees
MAJOR THEMES OF COMPLIANCE:
Right to disclosure – This is the right to be informed before or the time that personal information is collected, as well as the type of information being collected and why it is being collected. Additionally, consumers under this law have the right to request a data trail of what information was collected about them and how it was used after the fact.
This presents two significant problems for hotels. First, hotels will need to be able to track every data point they have collected on individuals including where the data was sent and how it was used.
With hundreds if not thousands of data points collected on every individual, this is daunting. Second, hotels will be tasked with verifying the identity of the requester to ensure this isn’t a form of fraud.
Right to deletion – Consumers have the right to request that a business delete all of the information they have on file about them. However there are nine exceptions to this right both under GDPR and similarly under the CCPA. Unfortunately, consumers will often try to use this right as a way of abusing the system or creating what they think will be a loophole.to escape obligations example to escape payment for services. such as bat bills, room service, cancelled bookings etc
Right to opt out– This refers to the consumers’ right to opt out of the downstream “sale” of their personal information.
Right to non-discrimination – Businesses can’t deny goods or services to consumers who exercises their right to privacy.
The right to opt out and the right to non-discrimination provides a particularly troubling issue for hotel loyalty programs. In fact it’s impossible to comply, For example, a hotel needs a person’s stay information to be able to give them the benefits that come along with his stay from a loyalty perspective. There is currently an amendment pending that could exclude loyalty programs specifically, but if the amendment doesn’t pass, this could put significant stress on loyalty programs.
What are the penalties ?
There are two possible outcomes.
In the case of a data breach, individuals will be given the opportunity to leverage a class action lawsuit on the basis of statutory damages. This means that consumers will not have to prove they suffered any damages, they will only have to prove their information was exposed and the company did not have reasonable security measures in place. Damages will range between $100-$750 per person per incident. So if 10,000 California residents are impacted by a breach, that’s a minimum of $1 million besides all of the additional costs associated with data breaches.
The attorney general can come after hospitality companies for any breach of the law which will usually result in a fine. The hospitality company will be given 30 days before the fine is imposed to fix whatever the offence was.
Hospitality Sector Vendor Risk
For many hospitality companies, their partnerships with vendor members could pose a significant risk. However, the CCPA offers specific provisions that hotel companies can include in their contracts with service providers so that they are not liable if the service provider misuses the consumer data. This is a protection built into the law.
Our Ten advisory steps hospitality companies could take to minimize their risk. They include:
1) Assess your CCPA compliance
2) Complete CCPA assessments
3) Map the flow of personal data to perform key CCPA tasks
4) Streamline and comply with CCPA consumer rights
5) Meet the “Do not sell my personal information” requirement
6) Enable location specific cookie banners
7) Review vendors for CCPA contract obligation accountability
8) Comply with California data breach notification laws
9) Train employees
10) Enable reporting and metrics; keep evidence of consumer reports
Relentless Privacy and Compliance Services CCPA Service has you covered
Data protection is unlikely to be foremost in people’s minds when considering the impact of Brexit, whether it be soft or hard, deal or no deal. The UK Government has, however, recently issued papers about various topics in a ‘no deal’ situation and one of these entitled: Data protection if there’s no Brexit deal.
In the event of a ‘no-deal’ Brexit, with no agreed arrangements covering data protection, the Government is advising organisations to prepare appropriate contracts to ensure any transfer of European Union citizens’ personal data to the UK is compliant with privacy laws.
The UK faces the prospect of being regarded as a third country when it exits the EU. As a result, the transfer of personal data from organisations within the EU to other organisations in the UK will be subject to strict data transfer rules, as set out by the EU General Data Protection Regulation (GDPR). EU organisations will have to ensure their transfers to UK are lawful and that’s not going to be as simple as it is now.
You may have heard talk about ‘adequacy’ and speculation if the UK will be given ‘adequacy status’. Let’s explain.
What is adequacy ?
It’s all about demonstrating to the EU that the UK is a safe place for data processing so that restrictions on data transfers are not imposed. The European Commission can assess non-EU countries’ level of personal data protection to see if it is essentially of an equivalent level to that of the EU. If a country ‘passes’ the rigorous testing, the Commission can make an Adequacy decision.
Countries with adequacy are not bound by the appropriate safeguard requirements set out in Article 46 and Article 47of GDPR and personal data can flow unrestricted.
The European Commission has so far recognised the following countries as providing adequate protection: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. We should also mention the US-EU Privacy Shield, which is a recognised control for data transfers between the US and EU. This is limited to organisations in the US who sign up to the Privacy Shield framework.
Most recently in July 2018, the EU and Japan agreed to recognise each other’s data protection systems as ‘equivalent’.
Will the UK automatically be awarded adequacy status?
Unless a Brexit deal is reached between UK & the EU before 31st October 2019 which covers data protection & data transfer arrangements, the answer is no. The Commission would need to go through an assessment process before adequacy could be granted. Despite pleas from the UK Government for this process to start, the Commission’s current position is that it will not commence the process until the UK has left the EU and become a third country. Article 45 of GDPR sets out what the Commission should take into account when considering whether to grant adequacy.
Is the UK likely to be awarded adequacy status?
If the UK leaves the EU on October 31st 2019 with no agreement surrounding data protection & data transfers, the UK Government has stressed, “there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.
It is widely hoped this will go a long way in persuading the EC to grant adequacy. However, there are concerns the Commission will take a more detailed look at the UK’s crime and national security legislation during its assessment, and in particular the controversial Investigatory Powers Act 2016. This has been criticised by the European Court of Human Rights for giving too much power to security and intelligence services which could violate individual privacy.
Japan will be the first adequacy decision made under GDPR so the UK Government can learn a lot from the process, the EDPB (European Data Protection Board) opinion that has been requested, and the final adequacy decision (once published). Japan has a different data protection regime and has had to agree to add to their national law to get adequacy. Therefore, given the UK implemented Directive 95/46 and has implemented GDPR, a decision that the UK is not adequate would seem unlikely. However, as a third country the UK will be subject to greater scrutiny, and Brexit is unprecedented, so nothing is certain.
The EC’s process for reaching an adequacy decision typically lasts several months (even years) and there is no guarantee it will be granted.
So, what do organisations need to do?
Let’s be clear, if no agreement is reached the UK will become a third country to the EU and will not have adequacy – at least not right after Brexit. So new restrictions for EU-UK data transfers will apply – at least in theory.
UK to EU transfers
The transfer of personal data from the UK to EU member states will, according to the Government, remain unaffected. The Government has stated, “In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”
EU to UK transfers
UK organisations which receive any transfers of personal data of EU citizens, or any personal data from EU member states, need to prepare for the possibility of no deal. Initially, at the least, the UK will not be deemed an adequate country and there will be a burden for compliance with Articles 46-49 of GDPR on organisations sending personal data to the UK.
Organisations are being advised now to work with their EU partners to ensure compliant transfer of personal data between the UK and EU can be achieved.
The Government is advising that for the majority of organisations the most relevant legal basis for such transfers would be Standard Contractual Clauses (SCCs). These EC-approved data protection clauses, often known as model clauses, need to be embedded within contracts (without any changes), or added as an appendix to an existing contract, which may need to be reviewed on this point to avoid ambiguity. They cover the contractual obligations between both parties to protect the rights of the individuals whose data is being transferred. So model clauses are the way to go.
UK entities that are part of multinationals will as equally be affected as pure UK only organisations, where personal data is transferred into U.K. from EU. However, multinationals that already have approved Binding Corporate Rules (BCRs) may not be affected as a BCR is more focused on the group approach to management of personal data including data transfers. Some multinationals have also set up a framework agreement incorporating EU Standard Contractual Clauses, and here such an Agreement may well survive Brexit as the U.K. company described as a data exporter simply switches to a data importer. This, however, would not be the case where the U.K. entity was signed as an exporter on individual standard contractual clauses, based contracts.
Anything More to Note?
Organisations based outside the EU which offer goods and services to EU citizens, or monitor the behaviour of EU citizens, fall under the scope of GDPR Article 27, which includes the requirement for such organisations to nominate a representative in one of the EU member states. So, after Brexit, when the UK is outside the EU, this article will bring many UK organisations within its scope.
Also, worth considering is whether your organisation is currently relying on the EU-US Privacy Shield. If so this will need revisiting, as upon Brexit the UK will not be part of this arrangement.
In this period of uncertainty, it would appear prudent to start preparing for what may come – i.e. abide by existing legislation but anticipate possible changes and scrutiny to businesses processes impacted by cross-EU data-sharing. One would need a crystal ball to predict the outcome of any Brexit deal (at the time of writing only six months away), but it is entirely possible a period of ambiguity might result as political manoeuvrings are completed.
As ever, businesses which act in good faith, recording and justifying any changes to business processes and decisions, will be less vulnerable than those which do not – Keep Calm and Prepare
Transatlantic commerce is invaluable to companies in the US and EU. The sale of goods and services is made easier for both sides by following consistent operating standards for data protection. In some ways the US is already moving towards tougher privacy laws with the introduction of the California Consumer Privacy Act of 2018, followed by recent calls from the CEO of Facebook for the US and countries around the world to adopt privacy regulations built on the GDPR. Focusing upon US companies considering their privacy policies and procedures in Silicon Valley and beyond, in this blog post we consider the geographic scope of GDPR and the core business functions it impacts upon.
The implementation of the GDPR which came into effect on 25th May 2018 required comprehensive changes to business practices for many companies that did not already have a comparable level of data protection in place. Company departments from Finance to HR, Marketing, Sales, and Customer Support were all affected by the required changes. Companies working with partners also had to ensure that these entities were GDPR-compliant, typically the data Controller signs a data processing agreement with their Data processors to document responsibilities and ensure processors act on the Controller’s instructions.
When does the GDPR apply to US companies?
According to Article 3 of the GDPR, your company is subject to the requirements of the GDPR if it is based outside the EU but collects (i) personal data of individuals located in the EU for the purpose of offering goods or services regardless of whether a payment by the individual is required (i.e. marketing); or (ii) behavioural information as far as their behaviour takes place within the EU.
Conversely, the GDPR will not apply to the processing of data relating to individuals located outside the EU when the data is collected. US companies with an online presence should therefore be particularly mindful of the GDPR.
There are three categories of individuals who you should bear in mind:
Marketing to potential customers in the EU
The GDPR differentiates between targeted and general marketing. Put simply, the GDPR only applies to targeted marketing i.e. material that is clearly aimed at a particular market. Key indicators of targeted marketing include using a local website suffix (such as “.co.uk”) and listing prices in the local currency.
The mere accessibility of a company’s website or contact details to customers in the EU is more general in scope and would not be classed as targeted.
Pertinent to marketing is the GDPR principle of lawfulness, fairness and transparency. This means that you must be clear, open and honest with people from the outset as to how their personal data will be used.
In particular, customer consent must be freely given, specific, informed and unambiguous when signing-up for marketing materials.
It is not acceptable to use pre-ticked check boxes or bulk consent to multiple processing activities with information for customers spread across numerous legalistic documents. A record must also be kept for each individual, including when the consent was provided and what was consented to.
Audit Your Data
Auditing the data your company holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
Key questions to answer include locating where your data is stored; why certain kinds of personal data are being processed; what is the legal basis for processing; how long it is retained; who has access currently to personal data and who should have access to it moving forward; are the appropriate technical and organisational controls in place and how much duplication of customer personal data exists across multiple sites.
All these areas need to be addressed before you can decide on the best course of action for your business. This first step in creating a holistic view of where all the different types of your customer data is residing is a critical one. If you don’t know what personal data you hold, you can’t make any plan around that data. GDPR 24/7 platform documents and creates a visual map of where your data is and its flow and under what lawful basis it is processed. Pricing starting from £49 pm for professionals rising to £149 pm for business plus for organisations up to 250 employees. Organisations over 250 employees POA
DPIAs or Data Protection Impact Assessments may need to be carried out by companies before any new processing starts that presents a risk to data subjects to ensure data protection by default and by design is in place, a key GDPR concept. Most European Data commissioners give guidance on their websites around DPIA’s and when they should be carried out.
Audit Your Service Providers
The task of auditing your service providers’ compliance is where a lot of US companies may fall flat and may be where the most significant risk resides in your business. You will need to review your agreements with third-party service providers who process personal data on your behalf and sign data processing agreements. The data controller is obliged to sign contracts under GDPR, and the data processor can only act on the Controllers instructions.
If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US companies, then the work they do related to the personal data of your data subjects in the EU could be deemed non-compliant and put the controller at risk.
The Right to be Forgotten and Data Subject Rights
Data subjects could include employees, candidates, customers or even potential customers if your business collects prospective leads. Under new GDPR regulations data subjects have the following rights:
The right to be informed;
The right of access;
The right to rectification;
The right to erasure (the right to be forgotten);
The right to restrict processing;
The right to data portability;
The right to object;
Rights in relation to automated decision making and profiling.
Under data protection law, anyone can ask if your organisation holds personal information about them – you must respond to their request as soon as possible, and within one month at most. Requests for personal data should be provided for free in most cases.Relentless GDPR 24/7 automates the management of DSAR requests so you never miss the deadline to reply.
Controllers and Processors
You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. A data processor is a company that processes personal data on behalf of a controller. A data controller is a company that determines the purposes and means of how customer data is to be processed. Both Controllers and Processors have different implications concerning how they comply with the GDPR for US companies, and your company could be both a data controller and data processor at the same time.
To complicate matters even further, a data controller can have multiple data processors and the processor in turn multiple sub-processors. Under the new Regulation, the data controller is liable for the actions of the data processors that they work with in the market. It is essential that US companies carefully select their data processors where the data of data subjects in the EU is being processed and sign data processing agreements with them. A data processing agreement should govern the relationship between a controller and a processor and in turn the processors sub-processors. The agreement should include all aspects of data protection governance and article 28 and 82 of the GDPR detail what these agreements or contracts should cover.
GDPR Penalties and Fines
Officials realise that enforcing GDPR is essential for consumer protection. Forty-one companies have received fines from Germany for GDPR-related offences. The highest fine, $80000, penalised an organisation for failing to protect health information from public disclosure.
The business reputation is the perception of stakeholders about the company´s past and future ability to deploy its strategy to meet their expectations. Managing and forging this internal and external trust enhances the perceived quality of services, attracts talented leaders and business partners, improves performance, allows access to capital, creates differentiation, delivers sustained earnings, and increases the market value. The reputation is the final consequence of how the ethical values permeated the corporate culture to be visible to stakeholders. Corporate values need more than being self-proclaimed to improve the image perceived by stakeholders.
A leading topic at nearly every risk management conference is how to value the reputational impact. Reputation is so intangible, qualitative and unique that it’s hard to value its depreciation as an asset. However, boards and risk owners need to define a quantitative measure to manage. It is essential to quantify reputational risk regarding its likelihood and financial impact.
The economic implications on reputation is usually quantified by using:
Return on investment of communication program
Customer acquisition and retention rates
Employee hiring and retention rates
Compliance and regulatory investigation costs
Lawsuits and litigation costs
Business opportunities in mergers, acquisitions and partnerships
Data Protection Officer
Many organisations, particularly smaller ones, may find that the DPO’s responsibilities are a challenge to deliver, given the breadth of knowledge required of data processing and data security operations. The GDPR allows organisations to outsource the DPO role to an external provider.
Outsourcing DPO tasks and duties to a managed service provider means you get access to expert advice and guidance that helps you address the GDPR’s compliance demands while staying focused on your business activities. Benefits of outsourcing the role include:
A practical and cost-effective solution to achieve GDPR compliance;
Access to independent DPO expertise not available internally;
No conflict of interest between the DPO and other business activities;
Application of best practice in achieving and maintaining GDPR compliance;
Cost-effective compared to an internal appointment; and
Access to GDPR training and compliance solutions.
Data Breach Notification
If a data breach does occur, your company must report the event to the appropriate data protection authority within 72 hours of becoming aware of the event.
Each EU member state has its own data protection authority that will be responsible for implementing the GDPR rules. If the data breach poses a high privacy risk, a high risk to the rights and freedoms of data subjects (your customers), then those customers must also be notified by your company.
Prepare for Data Breaches
Recent high-profile data breaches demonstrate how critical it is to be ready to handle a breach. Advance planning will ensure you have a clear strategy focused on protecting and informing your customers. A detailed plan could minimise damage to your organisation’s reputation.
The EU General Data Protection Regulation (GDPR) imposes a data breach regime on all data controllers and processors handling personal data. This requires organisations to ensure data is adequately protected against loss, theft, unauthorised access etc. Data processors are obliged to report personal data breaches to controllers, and in turn controllers need to be prepared to comply with the personal data breach notification rules.
Record of Processing Legal Basis and Consent
Each controller will have the responsibility to maintain records of all the processing activities which take place within the organisation. These records (which need to be in writing, as well asin electronic form) must contain all of the following information:
the name and contact details of the controller and where applicable, the data protection office;
the purposes of the processing;
a description of the categories of data subjects and of the categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
the transfers of personal data to a third country or an international organisation, including the documentation of suitable safeguards;
the envisaged time limits for erasure of the different categories of data; and
a general description of the applied technical and organisational security measures.
Train Your Employees
Not only does training staff reduce the risk of breaches, it also demonstrates compliance with GDPR. For example, if an organisation was to experience a data breach and they had documented your staff training, this would be used as evidence to prove that they had taken the appropriate steps to prevent a data breach and were taking the regulation seriously.
Of course, all staff members are not required to have a detailed knowledge of the full legislation like a compliance officer would, but a good start would be to ensure all staff are aware of GDPR and the issues of data protection. Under Article 39 of the GDPR, it outlines that staff awareness raising and training is required.
Data Retention Policy
GDPR does not specify retention periods for personal data. Instead, it states that personal data may only be kept in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was processed.
Therefore, in deciding how long to retain personal data for, employers will make their decision based on statutory retention periods, limitation periods for claims, individual business needs and the data quality principles.
The GDPR brings a requirement to demonstrate extra accountability so the organisation or company must be able to demonstrate compliance.
GDPR for US Companies: Ongoing Compliance
GDPR compliance isn’t a one-off – it has to be maintained
If your business was one of those that took appropriate steps to comply with the rules of the GPDR before 25 May, you might believe that you can relax and can put the rules to the back of your mind. But compliance is not a one-time exercise, and if you want to stay within the law your company needs to constantly reassess its security procedures and practices.
Additionally, some businesses make the mistake of believing that Brexit will affect the GDPR – perhaps that the legislation will cease to be the law after the UK leaves the European Union. Brexit is no reason to assume that these new rules will cease to apply, however.
Firstly, the UK is not scheduled to withdraw from the EU until October 31 2019, so GDPR compliance will be required up until this date anyway. But furthermore, the UK has passed GDPR into UK law, known as the Data Protection Act 2018 which will continue to maintain and enforce GDPR standards after Brexit occurs.
The GLBA is one of many data privacy laws that protect customer information. Find out what it is and how to reach compliance.
The GLBA, or Gramm-Leach-Bliley Act (or the Financial Services Modernization Act of 1999), primarily affects financial institutions, which must provide privacy notices to customers, protect customer information via physical and electronic means, and restrict what personal customer information they share with third-parties. Like the European Union’s General Data Protection Regulation (GDPR), it’s another privacy law that requires companies and other organisations to explain how they protect, share, and use the private information of customers.
But what is considered a “financial institution”?
Financial institutions are basically any company that provides financial products or services such as banks, investment banks, securities firms, insurance companies, non-bank mortgage lenders, real estate appraisers, loan brokers, financial or investment advisers, debt collectors, tax return preparers, and real estate settlement service providers. Accountants, professional tax preparers, and courier services must also comply with the GLBA. Another institution that has to comply with the GLBA is higher education, since colleges and universities collect and share financial information from students.
If your organization has to comply with the GLBA, there are several things that you have to do to meet compliance.
The first big hurdle is to provide a privacy notice to costumers (before you start any business with them) that details what kind of personal information you will gather, how it will be used, and how it will be protected from unauthorised access, malicious outsider use, or leaks. Customers also need to know how they can opt out of sharing their information with third parties, and how they may not opt out of sharing information with certain parties (such as marketing companies used by your financial institution or law enforcement).
The other major compliance requirement is the implementation of privacy security protocols. You must provide descriptions of the policies to customers, in writing, which detail how departments intend to protect customer data, as well as how they will conduct regular risk analysis, monitoring, and testing of any practices and protocols meant for data protection.
Like many other data privacy laws, companies that adhere to the GLBA must protect the personally identifiable information of customers, including credit card and bank card numbers, credit and income histories, Social Security numbers, addresses, names, phone numbers, and any other personal data that the financial institution collects.
Failure to comply could result in civil penalties up to $100,000 for each violation, fines up to $10,000 for individual officers and directors of an institution, or even imprisonment for up to five years.
Definition of Security Events
“an event resulting in unauthorised access to, or disruption or misuse of, an information system or information stored on such information system”
This definition is important because it will encompass unauthorised access alone, with appropriate exclusions, as the threshold. Under the new Safeguards Rule, ransomware or DDOS attacks would considered a cyber event (along with standard data theft, of course) illustrated in the recent Capital One Data Breach, which will then have to be monitored and appropriate actions taken to resolve.
Monitor User Activity
The regulators understand that financial companies will need more than just an audit trail to detect attackers. They’re also proposing to add language that covers policies and procedures
to monitor the activity of authorised users and detect unauthorised access or use of, or tampering with, customer information by such users
In the regulator’s discussion about this point, they say financial organisations should be able to use the technology to “identify inappropriate use of customer information by authorised users”, giving as an example the transfer of large amounts information for which has no legitimate use. By the way, they emphasise that this requirement is separate from an audit trail.
In other words, they are talking about monitoring technology that discovers unusual or abnormal activities from legitimate users.
The FTC regulators are well aware that financial companies have likely implemented controls on access rights. But they decided to add explicit language for access controls in the proposed update:
“would require financial institutions to place access controls on information systems, designed to authenticate users and permit access only to authorised individuals in order to protect customer information from unauthorised acquisition”
Note the language for only permitting access to authorised individuals.
Limits on Data Retention
The regulators want to force companies to eliminate data that no longer has “a business purpose.” Their NPRM proposal would
require financial institutions to develop procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes
This is straight from the NYDFS Cyber Regulation, and similar to GDPR’s requirements to minimise data. However, unlike the GDPR, there’s no requirements for setting explicit time limits or duration. Maybe that will change?
As you can see there are many similarities between GDPR and GLBA. Utilising your strong GDPR strategy program together with your GDPR platform software can ensure you will not have a duplicate of effort striving for compliance in both regulations.
GDPR 24/7 covers the following
Data Risk assessments
Incident and Risk Register
Data Policy Management
See how Relentless GDPR 24/7 can help the Fintech industry meet the strict regulations of both regulations.
GDPR mandates the consideration of the impact of any processing activities when developing a new product, technology or service should be taken into account and from the beginning and throughout the life cycle of the product. Security and privacy measures should be integrated into the project, rather than an afterthought in a post design “checkbox” exercise. Companies and organisations who acted quickly and proactively to implement the new regulatory requirement, are in pole position to ensure their products and services are compliant for the new, world GDPR era.
The origins of data protection by design and it’s seven principles
The concept of data protection by design is far from a new concept, with some of the initial discussion and considerations for the topic extending back as far as the 1970’s. What is new is the fact that Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) now mandates organisations to take privacy by design into account from the conception of a new product, technology or service (Article 25), rather than on a self regulatory basis as it was under the previous regime of Directive 95/46/EC (recital 46). The shift from a recital to a fully-fledged article, imposing a legal obligation is a positive step forward for data protection as a whole.
The modern version of data protection by design (and default) can be traced back to seven principles of privacy by design,
Proactive not reactive, preventative not remedial
Being proactive means that data privacy risk should be foreseen, be at the centre of planning and mitigated before they can manifest rather than rectified on a reactive basis. This ancillary benefit of this type of approach is potential protection from public exposure of data privacy issues which could cause reputational harm (e.g., Marriott Hotel Group breach From the initial conception design of developing a new product, technology or service, organisations should begin to plan the implementation of data-protection-enhancing measures
A clear commitment, at the highest levels, to set and enforce high standards of privacy − generally higher than the standards set out by global laws and regulation.
A privacy commitment that is demonstrably shared throughout by user communities and stakeholders, in a culture of continuous improvement.
Established methods to recognise poor privacy designs, anticipate poor privacy practices and outcomes, and correct any negative impacts, well before they occur in proactive, systematic, and innovative ways.
Privacy as the default
The highest settings of privacy should be enabled by default for the user when they utilise any system or access any service or system. This means that if the user does nothing to change the standard settings, their protection remains full. This guarantees that no action is required on the part of the user to protect their privacy.
Privacy by default also expands to data retention periods: personal data should only be kept and stored as long as it is necessary for the operation of the product or service, and this often translates into creating the mandated data retention schedule and the design and testing of processes for the operation of executing retention periods. Products, technologies and services should by default protect individuals’ data to the maximum, even if organisations may still want to include options where the data subject can disable these measures. Presenting data subjects with choice over what happens with their data is the cornerstone of any new data protection administration within a forward thinking organisation.
Purpose Specification – the purposes for which personal information is collected, used, retained and disclosed shall be communicated to the individual (data subject) at or before the time the information is collected. Specified purposes should be clear, limited and relevant to the circumstances.
Collection Limitation – the collection of personal information must be fair, lawful and limited to that which is necessary for the specified purposes.
Data Minimisation − the collection of personally identifiable information should be kept to a strict minimum. The design of programs, information and communications technologies, and systems should begin with non-identifiable interactions and transactions, as the default. Wherever possible, identifiability, observability, and linkability of personal information should be minimised.
Use, Retention, and Disclosure Limitation – the use, retention, and disclosure of personal information shall be limited to the relevant purposes identified to the individual, for which he or she has consented, except where otherwise required by law. Personal information shall be retained only as long as necessary to fulfil the stated purposes, and then securely destroyed.
Privacy measures should form the foundation stone upon which the whole system/service is built upon rather than being glued on at the end of the development cycle. The advantages to “securing” these measures are that data protection becomes an essential part of the product, technology or service, affording the highest degree of protection from the very start.
A systemic, principled approach to embedding privacy should be adopted − one that relies upon accepted standards and frameworks, which are amenable to external reviews and audits. All fair information practices should be applied with equal rigour, at every step in the design and operation.
Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks and all measures taken to mitigate those risks, including consideration of alternatives and the selection of metrics.
The privacy impacts of the resulting technology, operation or information architecture, and their uses, should be demonstrably minimised, and not easily degraded through use, misconfiguration or error.
Full functionality, positive-sum, not zero-sum
Functionality of a product or service should not be compromised as a result of trade-offs from “false disagreements” such as privacy vs security, but rather an approach should be adopted where both can be achieved in a “win-win” situation.
When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired, and to the greatest extent possible, that all requirements are optimised.
Privacy is often positioned in a zero-sum manner as having to compete with other legitimate interests,design objectives, and technical capabilities, in a given domain.Privacy by Design rejects taking such an approach – it embraces legitimate non-privacy objectives and accommodates them, in a innovative positive-sum manner.
All interests and objectives must be clearly documented, desired functions articulated, metrics agreed upon and applied, and trade-offs rejected as often being unnecessary, in favour of finding a solution that enables multi-functionality.
End-to-end security for the life-cycle of the product
Privacy by design must consider security from the “cradle to the grave”. Information is always afforded the appropriate security throughout the life cycle of the product (from collection to processing and finally destruction). There should be discrepancies where security measures are not applied to data processed. Choosing and implementing the correct levels of data security measures are applied to the product, technology or service from the beginning of the project is essential to meeting this requirement.
Security − Entities must assume responsibility for the security of personal information (generally commensurate with the degree of sensitivity) throughout its entire life cycle, consistent with standards that have been developed by recognised standards development bodies.
Applied security standards must assure the confidentiality, integrity and availability of personal data throughout its life cycle including, inter alia, methods of secure destruction, appropriate encryption, and strong access control and logging methods
Visibility and transparency
Data subjects who are having their information processed are entitled to be fully informed of what is actually happening with their personal data from the point it is collected to the point it is deleted. The GDPR takes an active role in heightening visibility and transparency for data subjects by increasing the rights over their personal data in Chapter III. Having strong processes for Chapter III rights such as Data Subject Access Requests or Right to Erasure requests is a vital step for the privacy by design approach.
Accountability – The collection of personal information entails a duty of care for its protection. Responsibility for all privacy-related policies and procedures shall be documented and communicated as appropriate, and assigned to a specified individual. When transferring personal information to third parties, equivalent privacy protection through contractual or other means shall be secured.
Openness– Openness and transparency are key to accountability. Information about the policies and practices relating to the management of personal information shall be made readily available to individuals.
Compliance – Complaint and redress mechanisms should be established, and information communicated about them to individuals, including how to access the next level of appeal. Necessary steps to monitor, evaluate, and verify compliance with privacy policies and procedures should be taken.
Respect for user privacy
Privacy for the user should be a central concern for the product, technology or service. The goal is to provide a user-centric experience, rather than one which harbours illicit data processing practices such as mass collection of data or invasive profiling.Having the data subject feel like they are king of the product, technology or service, rather than just a number, is also a good way to increase consumer confidence. Big-data is ever coming under increased attack for treating individuals like cattle, milking them for personal data which is then commoditised.
Consent– The individual’s free and specific consent is required for the collection, use or disclosure of personal information, except where otherwise permitted by law. The greater the sensitivity of the data, the clearer and more specific the quality of the consent required. Consent may be withdrawn at a later date.
Accuracy– personal information shall be as accurate, complete, and up-to-date as is necessary to fulfil the specified purposes.
Access– Individuals shall be provided access to their personal information and informed of its uses and disclosures. Individuals shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Compliance– Organisations must establish complaint and redress mechanisms, and communicate information about them to the public, including how to access the next level of appeal.
All organisations striving for greater customer utilisation of their products should be promoting greater privacy strategies.
A comprehensive data map can prove an inavaluable tool in helping you manage your data privacy, but what exactly is a data map and why do you need one? Relentless Data Privacy.
With the GDPR being in force for over a year now most businesses have a fairly good grip on what GDPR means for them.
They’re well aware of the need for a lawful basis to collect and process data. They understand all the benefits of hiring a Data Protection Officer (DPO), and whether or not they’re legally obligated to appoint one. They’re also well aware of their responsibilities with regards to international data transfers and for International organisations offering services and monitoring EU data subjects the need to appoint an EU Representative.
Yet if there’s one aspect of data protection law that still leaves many of those same businesses scratching their heads, its data discovery and data mapping. If you’re one of them and still find yourself still scrambling to figure out what they are, we’re here to help.
Though it sounds fairly complex, both data discovery and data mapping are pretty simple concepts.
They refer to the process of taking stock of all the data your business collects and processes, then mapping exactly what happens to it and where it goes on its journey through your company and further afield. Relentless GDPR 24/7 is now live and takes it one stage further as it produces a visualisation of your data map.It’s a process that proves invaluable for businesses no matter how much, or how little, data they process, tracking the entire lifecycle of that data from the moment it’s collected to the point at which it’s finally deleted.
How to Create a Data Map
In most cases, the responsibilities for data mapping typically falls to your Data Protection Officer (DPO) or other designated person with data protection responsibilities. Depending on your circumstances, this person may be an in-house employee or an outsourced data privacy consultant. The extensiveness of your data map will depend on the nature of your business and your data processing activities, but all data maps have a number of things that they should contain.
For complex businesses where multiple departments process personal identifiable data you need to break down the mapping by department. Furthermore for multi entity global organisations the need to have seperate data mapping for each entity within one encompassing portal.
What type of data you collect (email, bank details, address etc.)
Why you’re collecting that data
Whose data you collect
When you collect the data
What legal basis you have for processing the data
Where you store the data
What conditions are in place to protect the data
Which, if any, third-parties you share that data with
Where those third-parties are located
What protocols do you follow to protect data during data transfers to third-parties?
Why is Data Mapping so Important?
At the most basic level, having a solid data map in place can help to minimise the risk of data breaches and privacy threats by ensuring that no data enters or leaves your organisation without being fully accounted for. Yet there’s more to it than just that.
Article 30 of GDPR states that:
“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller
The records…shall be in writing, including in electronic form
The controller or the processor…shall make the record available to the supervisory authority on request.”
In other words, GDPR itself makes it mandatory to map data and make those maps available to supervisory bodies in the 28 member states when requested to do so.
Other useful benefits of data mapping include:
Privacy by Design
While Article 30 may be the most compelling reason for businesses to carry out data mapping, it isn’t the only one. Remember that Article 5 of GDPR establishes the principle of Privacy of Design.
In other words, data protection and privacy should be integrated into the very foundation of your business, rather than bolted on to your activities as an afterthought.
Using data maps from the beginning ensures that you have the proof you need to show that you’ve adopted a culture of Privacy by Design within your business. This can be especially helpful when it comes to creating a Data Protection Impact Assessment DPIA for new projects.
A big part of the process of creating a DPIA involves identifying the flow of data through your organisational, as well as identifying the associated risks.
Having a comprehensive data map in place will make this process so much easier for your DPO or other appointed data protection specialist.
Using your data map, your DPO will also have a much easier time of responding to data subject access requests, as this will allow them to quickly and simply pinpoint all the relevant data requested by a subject.
Relentless GDPR 24/7 portal which brings together 11 modules covering all of the above and more. for one monthly price
Still need more advice or hands-on support with creating a data map for your business? Talk to the data privacy specialists at Relentless. As well as serving as your designated Data Protection Officer, we can help with data discovery, data mapping, and ensuring that your business enjoys frictionless compliance with GDPR and all international data protection laws. Contact us online today to arrange your initial consultation or call now on +44 (0) 121 582 0192.