background preloader

GDPR Guidance and Models

Facebook Twitter

When B2B data is personal data and what that means with the GDPR. Does retargeting use personal data and how will GDPR impact it? ICO less likely to fine charities for data breaches if they show staff training. A marketer's guide to the looming EU Global Data Protection Regulation. GDPR processor clauses and why they can't wait - Privacy, Security and Information Law Fieldfisher. Most compliance professionals and in-house lawyers will be well aware that in GDPR terms the 'big day' is fast approaching.

GDPR processor clauses and why they can't wait - Privacy, Security and Information Law Fieldfisher

Some boards may by now have been persuaded this really should be at the top and not the bottom of the risk register. Others may be taking a more 'wait and see' approach ie wait and see who actually gets fined and how much. Then there will be a few who wasted no time, got their GDPR readiness plan in place and are already well on their way to passing the 25 May 2018 finishing line with 'GDPR star' status.

If, like many, you are still pondering where to even begin on the journey to GDPR star status - start with your contracts! The GDPR introduces far more stringent obligations to be imposed in writing on data processors than current data protection laws in Europe. This means that for any new processor contracts you are negotiating that will run beyond 25 May 2018, these clauses need to go into the contract now. As they say, a stitch in time saves nine …. GDPR for the boardroom. Will GDPR Change the World? event. IntroductionThank you.

Will GDPR Change the World? event

Let me take a moment to thank TechUK for putting together this event and for offering me the platform to speak with you this morning.Our Commissioner, Elizabeth Denham, has been clear that the ICO’s vision – of increasing data trust and confidence among the UK public – can only be achieved by working in partnership with the private, public and third sectors.An important part of that is developing key relationships with representative or umbrella organisations as multipliers and amplifiers for our engagement with different constituencies.

Dentons Boekel - GDPR Update: Rights of the data subjects (information notices) Data watchdogs called on to clarify organisations duties on consent under GDPR. One of the ways in which organisations can lawfully process personal data is where they have obtained a person's consent to do so.

Data watchdogs called on to clarify organisations duties on consent under GDPR

Stakeholders from business groups, civil society and academia urged the watchdogs to explain whether organisations need a person's consent "for every single processing operation", or whether a more general consent can be obtained for "every purpose" of processing they intend to engage in, according to notes from an April GDPR workshop hosted by officials from a committee of data protection watchdogs, the Article 29 Working Party. Data protection authorities were also asked to clarify whether businesses will be free, under GDPR, to set out recommended privacy settings if they "still require an affirmative action from the user in order to choose" how their data is used.

The mechanisms by which consent can be obtained, and the issue of whether existing consents need renewed, also need to be clarified, the stakeholders said. The GDPR “General Data Protection Regulation” Daily. Opt in versus opt out. Two letters from the regulator. Worry 1 Fundraising regulation may seem boring and complicated but it’s also massively important.

Opt in versus opt out. Two letters from the regulator.

Charities can’t afford not to get this right. Recently, at a meeting of leading fundraising directors, one of the assembled group said, ‘My job now is managing decline’. About one third of the gathered FRDs agreed with him, slightly more did not, with the others undecided. At the time, I thought he was being overly pessimistic. The drift to ‘opt in’ has had me fearing he may not be far wrong. Worry 2 I’ve long hailed the late Mrs Olive Cooke as a potential patron saint for fundraisers. Many hoped it would push our sector towards a renewed realisation of its responsibilities to donors, leading to a timely overhaul of fundraising practices, in turn stimulating new promises to donors and the prospect of a consistently improved donor experience. Premature reaction to impending regulatory changes had me fearing fundraising might be irreparably damaged before that change has time to take effect.

General Data Protection Regulation (GDPR) and the Enterprise Technology Landscape « Thoughts from the Systems front line.... Recently at the London Metropolitan University, hosted by the students Union, I presented an example in which the introduction of new legislation would impact my version of the Enterprise Architectural Stack.

General Data Protection Regulation (GDPR) and the Enterprise Technology Landscape « Thoughts from the Systems front line....

Subsequently after reading all 80+ pages of the General Data Protection Regulation (GDPR) I thought I would blog additional information and playback what I highlighted during the presentation, as I consider this an important game changing piece of legislation for those of us in Europe who design, deliver and manage Enterprise Systems. This blog is split into two parts –part 1 focuses on GDPR and the importance of the what and the why, whilst part 2 focuses on the how i.e. how GDPR will Impact the Technology landscape of most organisations together with some potentially impacted areas.

Part 1 – Brief Overview of the GDPR The text of the GDPR was agreed at the end of 2015 and will be applied in the UK from 25 May 2018. Arthur J. Gallagher - Are You Ready For The GDPR? Share this:

Arthur J. Gallagher - Are You Ready For The GDPR?

'Charities should not feel pressured into opt-in model under GDPR', says DMA. The Direct Marketing Association has said that focusing purely on a fully opted-in consent model for fundraising is “not totally necessary” under GDPR, as it is only one of six legal grounds on which personal data can be processed.

'Charities should not feel pressured into opt-in model under GDPR', says DMA

Speaking at the Institute of Fundraising Technology Conference in London on Friday, John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association, said it was “not totally necessary” for charities to focus purely on consent in order to process data under the new General Data Protection Regulation. Mitchison said he had spoken to a number of charities who “feel that they are being pressured to go down this fully consent road”, but pointed out that consent is only one of six legal grounds on which personal data can be processed under GDPR, and that “no one is any better than the other”. “It’s important to point out that consent is only one of the legal grounds on which you can process personal data. Wanted: evidence base to underpin a children’s rights-based implementation of the GDPR. On 14 October 2016 a group of experts from various backgrounds joined a round table organised by LSE’s Media Policy Project, the UK Council for Child Internet Safety’s Evidence Group, the Centre for Digital Democracy and the School of Communication at American University, in order to discuss the impact of the General Data Protection Regulation on children and young people.

Wanted: evidence base to underpin a children’s rights-based implementation of the GDPR

In this post professor Eva Lievens of Ghent University urges the research community to identify concerns and challenges and communicate those to policymakers, data protection authorities and industry. To read more about the round table discussion see here. The General Data Protection Regulation (GDPR) contains a number of provisions that may be particularly relevant to children and young people. Much attention has been devoted to article 8, which requires information society providers to obtain parental consent in order to lawfully process personal data of children under 16 years of age. ICO: Open banking 'a key way' for banks to meet data portability duties under the GDPR. In a response (4-page / 224KB PDF) to a Treasury consultation on the implementation of the revised EU Payment Services Directive (PSD2) in the UK, the ICO urged firms involved in facilitating open banking to engage with it on the project, and highlighted the potential open banking has for aiding compliance with the General Data Protection Regulation (GDPR).

ICO: Open banking 'a key way' for banks to meet data portability duties under the GDPR

"We encourage industry to maintain an open dialogue as it designs and implements an open API standard," the ICO said. "The information commissioner views open banking as a key way in which individuals’ rights to data portability under article 20 of GDPR may be given practical effect, and it should therefore help financial institutions meet their data portability obligations. " Those data portability obligations only apply to data controllers that process personal data based on customer consent or to perform a contract involving the data subject and if the processing takes place by "automated means".

Facebook users will be given new legal right to delete all posts they made as teenagers, Tories announce. A holistic three-step approach to manage GDPR compliance - BearingPoint Sweden. The new EU legislation, General Data Protection Regulation (GDPR) is a comprehensive reform of data protection rules that will replace the Personal Data Act (PUL) in May 2018.

A holistic three-step approach to manage GDPR compliance - BearingPoint Sweden

All organizations that manage personal data are affected by GDPR. It entails new extensive data security and reporting requirements as well as increased financial penalties for non-compliance. Many organizations are unprepared for GDPR and not certain who to take the lead internally. By acting early, adopting a structured and holistic approach covering both legal and IT aspects, you have the right foundations for successfully achieving GDPR compliance and will gain control of your Master Data as a result.

Beware of the phish – how to stay ahead of the scammers. Targeted phishing emails and other online scams aimed at law firms are becoming ever more sophisticated. With the imminent arrival of the General Data Protection Regulation in May 2018, spotting the warning signs is more imperative than ever – and non-compliance is simply not an option, says Peter Wright Phishing emails are fraudulent emails appearing to come from legitimate sources.

They often direct you to a facsimilie of a trusted website (like a bank’s) or entice you to open a legitimately-named attachment, or otherwise get you to divulge private information. This is then used by cybercriminals to commit identity theft. Targeted phishing emails now look ever more genuine. Don't assume that because an email is internal it is safe – I have heard of some firms' email account servers being compromised to the point where internal emails have been hijacked. Multi-channel attacks Criminals are now attempting cyberattacks through many different channels - phone, email, social media. Responses to ICO GDPR consent consultation highlight adtech quandary. Who: The ICO, the Direct Marketing Association (DMA) and the Internet Advertising Bureau (IAB) When: March 2017 What happened:

Many companies lack GDPR plan, PwC data shows. Organisations are failing to address the most important risks because they do not have a structured approach to complying with the EU’s General Data Protection Regulation (GDPR). By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. This is the perspective of multidisciplinary practice PricewaterhouseCoopers (PwC), which has global insight into how organisations are preparing for the GDPR. European Privacy Regulation Guidelines from the Italian Data Protection Authority. BREAKING NEWS: European Privacy Regulation Guidelines from the Italian Data Protection Authority The European privacy regulation (GDPR) can now rely on detailed guidelines from Italian data protection authority on how to comply with it.

After the French and the Dutch data protection authorities, the Italian privacy regulator, Garante per la protezione dei dati personali, (the “Italian DPA“) issued its 6 step methodology on the GDPR which aims at also increasing awareness on the most relevant changes introduced: 1. More detailed consent and broader legitimate interest. Three reasons businesses should use VOIP services for communications. VOIP services should be considered for your business communications Voice Over Internet Protocol (VOIP) is one of the oldest business technologies in the market – yet, it hasn’t gone the way of the floppy disk and typewriters.

At the inception, VOIP was too much of a hassle because it requires both parties on the call to be online on a computer. More so, the call quality on VOIP calls of old was poor with broken messages, rapid interruptions and loss of service – worst part is that those calls were expensive. However, upgrades in the ISP infrastructure, improvement in data services and cheaper access to the Internet has provided a quantum leap in VOIP services in the last couple of years. In 2013, a market research report showed that there were more than 640 million VOIP subscribers worldwide. In essence, VOIP services are starting to occupy an important place in communications due to the upsurge in the use of residential and business VOIP services. Cheaper solution for making calls. The GDPR and your data protection obligations - Speaking of Security - The RSA Blog. The focus is growing for the European Union’s forthcoming “General Data Protection Regulation,” or GDPR.

As its May 25, 2018 implementation date draws nearer, organizations are starting to understand the magnitude of change this major regulation will drive. It is not only EU-based organizations that are subject to the GDPR’s requirements. If your company stores or handles any personally identifiable information about EU residents – things as simple as names and email addresses – then you are obligated to be in compliance, and risk penalties if you’re not. Watchdog queries scope of rules on 'profiling' under the GDPR. Human resources jobs, news & events - People Management. More GDPR questions answered: new guidelines on DPIAs. GDPR Myth: What happens in the EU must stay in the EU. Sanity check: One year until GDPR.

Data protection and Brexit - an update. It’s time to wake up and figure out how GDPR affects you! WP29’s final word on DPOs, data portability, and the one-stop shop. WP29 proposes DPIA guidelines, shedding light on “high risk” processing. 2,224 data security breaches reported in 2016, says Data Protection Commissioner.

Reports of data breaches to see exponential rise once mandatory reporting rules under GDPR come into force, warns Helen Dixon. Ireland’s Data Protection Commissioner has reported the number of complaints over data privacy have increased from 932 in 2015 to 1,479 in 2016. In its annual report for 2016, the Data Protection Commissioner (DPC) revealed that it received 2,224 valid data security breaches during the year, down from 2,317 reported in 2015. GDPR: How to win the data privacy war. GDPR awareness, readiness and compliance in the US, UK and Belgium.

UK Businesses Passing The Buck When It Comes To GDPR. GDPR Compels Next-Generation Compliance Efforts. European Commission: EU-US Privacy Shield complies with the requirements of the General Data Protection Regulation. New privacy risks for tech suppliers? Free guide to GDPR and data protection for charities published today. UK’s GDPR law will not be judged “adequate” if it contains provisions that made the DPA inadequate - Hawktalk. 10 tips to a perfect data protection policy. GDPR and your data: check you comply . . . then check again. New data rules mean it can't be 'business as usual' - Helen Dixon. German EU General Data Protection Regulation. What does the General Data Protection Regulation (GDPR) mean to me and my Salesforce.com CRM? - Desynit. EU trying to salvage US deal on data privacy. UK to repeal sections of the Data Protection Act as part of GDPR reform process, says minister. Untitled. GDPR: Privacy law gives advertisers a tough cookie – Todd Ruback – Medium.

Make consent less boring. No Longer the Same Check Boxes – Achieving Compliance and Data Security with EU GDPR -David Clarke & Stealthbits. Data Breach Notifications: What's Optimal Timing? Data security and breach notification in Japan. 3 options for GDPR after Article 50. Getting to know the GDPR, Part 9 – Data transfer restrictions are here to stay, but so are BCR - Privacy, Security and Information Law Fieldfisher.

The unfathomable cost of getting in the FCA’s bad books on data handling issues. New regulations are not just a tech problem - now everyone must act in protecting consumers' data. Managing unlimited demands for unlimited liability in GDPR contracts - Privacy, Security and Information Law Fieldfisher. Characteristics of Governing Data. Preparing for the EU GDPR - 360 Business Law. Data Portability: how will your organisation unlock this right? - Data protection and privacy global insights. How the new privacy data portability right impacts your industry. Territorial scope of the GDPR (Flowchart) Cloud industry body sets up new data protection code.

DPO and organizational models in the company – Europrivacy. 32016R0679. Which Data Is in Scope for GDPR? How GDPR impacts a data controller based outside the EU. New obligations for data processors under the GDPR. 10 tips to stop your charity breaking the law. Why charities need to prepare for GDPR. The impact of the General Data Protection Regulation (GDPR) - Lawyer Issue. Firms warned building trust vital under new EU data protection rules.

General Data Protection Regulation (GDPR) and the Enterprise Technology Landscape « Thoughts from the Systems front line.... Big data ai ml and data protection. ClubEBIOS-EtudeDeCas-Geolocalisation-2012-12-15. GDPR: Goodbye Notification, Hello More Fees! General Data Protection Regulation (GDPR) – Final text neatly arranged. Comment se préparer au règlement européen sur la protection des données ? CNIL-PIA-1-Methode. The GDPR: Are you ready? - Foot Anstey. The countdown to GDPR compliance: children and consent. Children and the GDPR, Digital Economy Bill & UK Digital Strategy. How UK’s GDPR law might not be judged 'adequate' Why the ICO Have Got It Wrong When it Comes to Third-Party Email Marketing & Consent. Collaboration opportunity for local authorities around GDPR » Digital By Default News.

A strategic approach to vendor-management under the GDPR. If a hard Brexit a-gonna fall what then happens to overseas transfers of personal data? - Hawktalk. GDPR: How Do You Define 'Appropriate' Security Measures? - Froud on Fraud. FCA/ICO: We’ve Got An Understanding. UK ICO. Breach notification. ICO GDPR consent guidance: many organisations' current practices will not pass muster, Jacqueline Drury (née Clifton-Brown) GDPR and accountability. The GDPR: Essential guidance for intranet and digital workplace specialists. GDPR and Consent - ICO's draft guidance - Data Protection Network. Ten things you should know about General Data Protection Regulation (GDPR) GDPR: Why should we care ? - IT-as-a-Service Consulting - ITaaSC.