What you think you know about the GDPR… and why you may be wrong. - Privacy, Security and Information Law Fieldfisher. Europe’s new data protection law, the General Data Protection Regulation (or “GDPR” for short) is an undeniably complex piece of legislation. Privacy professionals everywhere, this one included, have a lot to learn and - thankfully - there have been many excellent articles written on the topic. For the most part, these focus on the changes that the GDPR will bring about and, specifically, the compliance actions that organisations must take. By contrast, less has been said about what the new law will NOT require. This might sound unsurprising (why would anyone want to know about things they don’t need to do?)
Because of that, I thought I’d dispel a few of the most common misconceptions the Fieldfisher Privacy, Security and Information team have heard. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. That’s it for our top 10 list. Why the GDPR ‘legitimate interest’ provision will not save you | PageFair. The “legitimate interest” provision in the GDPR will not save behavioral advertising and data brokers from the challenge of obtaining consent for personally identifiable data.
As previous PageFair analysis illustrates, personally identifiable data (PII) will become toxic except where it has been obtained and used with consent once the General Data Protection Regulation is applied in May 2018. Access the GDPR/ePR repository A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status. Even so, many advertising intermediaries believe that they can continue to use PII data without consent because of an apparent carve-out related to “legitimate interest” contained in the GDPR. This is a false hope. Legitimate interest The balancing test This is not a figurative exercise. The test also must consider the manner in which PII are processed. “whether large amounts of personal data are processed or combined with other data (e.g. in the case of profiling…). Two options Notes. MicrosoftGDPRDetailed AssessmentToolbox1.2b.
Data Protection Impact Assessments under GDPR | Blog Now. The General Data Protection Regulation (GDPR) will come into force in about 10 months. There is plenty to learn and do before then including: Raising awareness about GDPR at all levelsReviewing how you address records management and information risk in your organisation.Reviewing compliance with the existing law as well as the six new DP Principles.Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements.Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.Considering whether you need a Data Protection Officer and if so who is going to do the job.
As well as:Considering when you will need to do a Data Protection Impact Assessment (DPIA). Article 35 of GDPR introduces this concept. When is a DPIA needed? Who should conduct the DPIA? GDPR and ePrivacy Regulation: Beyond the marketing fog | Inflowing. GDPR: What should Data Controllers be considering when using Data Processors? | Wright Hassall. The General Data Protection Regulation (the GDPR) is due to come into force in May 2018. Under the GDPR, Data Controllers will have an obligation to only use those Data Processors that can show that they are compliant with the GDPR.
Data Controllers can no longer rely on contractual clauses alone to show that they are protecting personal data when outsourcing to Data Processors. The GDPR will require organisations to be far more ‘hands-on’ and to assess the compliance by way of audits and supplement that with additional data related policies and procedures. We have set out below a list of key considerations for Data Controllers when thinking about engaging Data Processors. Circumstances will of course dictate and shape these considerations, so the list is non-exhaustive.
Due diligence Before engaging Data Processors to carry out data processing activities, Data Controllers should be carrying out due diligence enquiries of the Data Processor’s ability to comply with the GDPR. Liability. Updating consent to receive marketing emails in preparation for the GDPR: be careful! | Wright Hassall. In order to become GDPR compliant, many organisations are facing the job of checking whether they hold GDPR-compliant consent to send marketing emails to individuals. To prepare for the introduction of the GDPR in May 2018 some organisations have sent emails to their database to check that marketing consents are up to date. However, recent fines from the ICO have highlighted some potential risks involved. On 27 March this year the ICO fined both Honda and Flybe for sending emails to their customers to ask for confirmation of their contact details and marketing preferences. Flybe sent an email to 3.3 million people asking ‘Are your details correct?’
The email asked recipients to update their details and marketing preferences for the chance to be entered into a prize draw. The problem with the Flybe email was that it was sent to people who had previously refused or withdrawn their consent for email marketing. This was in breach of current data protection law. About the authors. G(in)DPR: Five gins to drink with these GDPR white papers. Data Privacy and Security We here at IDG Connect have been overrun with stories and commentary about the European Union’s General Data Protection Regulation (GDPR). It’s enough to turn us to the bottle. But there’s nothing to say we can’t be helpful and make a terrible pun at the same time. So, here’s a list of useful GDPR-based white papers to help you get your head around this legislation, coupled with some nice gins we like to drink to put us at ease.
Drink one: A New Dawn for Data Privacy Complying with the European General Data Protection Regulation First up, a couple to ease you in. With these two papers, we’d recommend Jensen's Old Tom Gin. Drink two: Information Insight for GDPR Compliance Simplifying GDPR Compliance This two parter from HPE aims to provide simple, actionable points for achieving GDPR compliance as well as helping to reduce the risk it poses to your business. With these papers, move on from old London to something more modern. Drink three: GDPR: A Pocket Guide Drink four: What the GDPR does – and doesn’t – say about consent – Miss Info Geek.
You may have noticed that the General Data Protection Regulation is rather in the news lately, and quite right too considering there is only a year left to prepare for the most stringent and wide-reaching privacy law the EU has yet seen. Unfortunately however, in the rush to jump onto the latest marketing bandwagon, a lot of misleading and inaccurate information posing as “advice” in order to promote products and services is flourishing and appears to be drowning out more measured and expert commentary. Having seen a worrying number of articles, advertisements, blog posts and comments all giving the same wrong message about GDPR’s “consent” requirements, I was compelled to provide a layperson’s explanation of what GDPR really says on the subject. So, let me start by saying GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA. and again, so we’re completely clear – GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA!!!