How To

How To

Hogan Injury tell us what we need to know about GDPR

This is a guest post by California law firm Hogan Injury, telling us from a legal perspective what we need to know about the dreaded GDPR! It previously appeared on their site.

Considered the most important development in data privacy regulation in two decades, the General Data Protection Regulation or GPDR has taken effect on May 25, 2018. The regulation was up for debate for four years before it was approved in 2016, with the enforcement date set this year. This means that organizations who failed to comply within two years may face heavy fines.

What exactly is the GDPR?

The GDPR is a rule passed by the European Union that standardizes data protection laws across all 28 EU countries. It imposes stricter rules on controlling and processing personally identifiable information (PII) and extends the protection of EU residents’ personal data and data protection rights. Moreover, the implementation of these stricter rules can potentially address issues with invasion of privacy and identity theft. The GDPR replaces the 1995 EU Data Protection Directive.

The new rule sets a higher standard in obtaining personal data from the consumer. Usually, when a company acquires personal data from an EU consumer, it needs informed and clear consent from the user. Consumers must also be able to revoke that consent and request for the data the company has from them in order to authenticate the consent. GDPR has stricter and stronger rules for collecting and sharing data, which also means that they will be required to revise how ads are targeted online. In storing and processing data, GDPR may also require the use of encryption, data backups, passwords, and malware protection.

Moreover, the penalties set for violations are higher. The maximum fines for violations are currently set at 4% of the company’s global revenue or $20 million, whichever is higher. This will clearly motivate companies to comply and revise their policies on data collecting and sharing.

Why the need for the GDPR?

Consumers have taken advantage of the “free” services from Google, Facebook, and Twitter among others in exchange of giving away personal information such as email addresses, sexual orientation, and political leanings. However, users find it hard to understand what exactly they are consenting to give these tech companies when they agree on the confusing and elaborate terms and conditions. One perfect scenario that would justify the need for stricter regulations on consumer data collection is Facebook’s Cambridge Analytica scandal. Political data firm Cambridge Analytica allegedly acquired the data of 50 million Facebook users and sold the data to US politicians vying for election in 2016, in order to influence their votes.

In the US, a data privacy protection for sensitive patient data has been in place. It is called the Health Insurance Portability and Accountability Act or HIPAA. Similarly, the HIPAA Privacy Rule oversees accessing, saving, and sharing of medical and personal information of any individual.

How are the big tech companies doing?

Earlier this year, big tech companies have taken steps in compliance to the GDPR. Google, for example, has started letting users choose which data they want to share with Gmail and Google Docs, among its other products. Facebook has started complying, as well, by rolling out a single page called the global privacy center that would let users organize who sees their posts and what types of ads they see. Amazon also began enhancing their data encryption on its cloud storage and made their terms of agreement simpler.

What does it mean for the US consumer?

As the GDPR is a mandate given to countries of the European Union, it only applies to EU countries, technically speaking. However, with the global nature of the Internet, this means that every online channel and service is affected by the new rule; and therefore US consumers will be greatly affected as the big tech companies start to adapt.

In need of expert legal advice? Contact us at Hogan Injury.

None of the content on Hoganinjury.com and therefore Prior Portfolio, is legal advice nor is it a replacement for advice from a certified lawyer. Please consult a legal professional for further information.

How To, Training reviews

How to make sure the GDPR is no trouble

Rejoice, lovely readers, for we have made it to the fourth and final week of our GDPR training. Just in case you’ve been cut off from society, the GDPR is the EU’s new rules for data protection and it is very important that all businesses comply. Even if/when Brexit happens, the UK still needs to be compliant with the GDPR if they have clients in EU member states. For more information on the regulations, please read Week 1, Week 2 and Week 3.


How to make sure the GDPR is no trouble | Prior Portfolio | Vicky Prior - Freelance Writer

This week is all about the bodies that ensure compliance with the GDPR, and the penalties they can dish out if you don’t comply. First up, national supervisory authorities monitor data processing activities, refer non-compliance for judicial review, and allow data subjects a means of complaint.

The national supervisory authority can give an organisation certification to prove they are GDPR compliant. This certification lasts for three years.

A national supervisory authority can only monitor processing that takes place in its geographic territory, or that concerns subjects residing in its geographic territory. If a border dispute occurs, the case is referred to the lead supervisory authority or LSA.

National supervisory authorities can impose liabilities for non-compliance with GDPR. Subject entitled to compensation if a company has misused their data. Controllers are liable for all damages, while processors are only liable if they did not comply with their own obligation or if they acted against the controller’s instructions.

The European Data Protection Board (referred to as ‘The Board’) is made up of the head of each national supervisory authority, plus representatives from the European Data Protection Supervisor (EDPS). The EDPS has restricted voting rights, and a representative from the European Commission is allowed to attend meetings but cannot vote. The Board’s role is to ensure GDPR compliance, while also ensuring cooperation between national supervisory authorities and checking on international compliance. The Board can issue EU-wide directives on particular cases so to ensure consistency, the LSA also helps with this.

A code of conduct should be written and made available to all data subjects, detailing how your organisation will comply with the GDPR. You should include how data will be collected, how subject rights can be exercised, and how you will notify subjects and authorities of a data breach. Submit your code to the national supervisory authority for approval.

Finally, big companies will use Binding Corporate Rules (BCR), which are rules adopted by a group of multinational companies. They require approval of the national supervisory authority. They cover the transfer of data between companies in the group across geological boundaries. You do not need approval from the national supervisory authority to transfer data outside of the EU as long as it adheres to standard contractual data clauses. The country the data is being transferred to must have adequate data protection laws, unless the controller can provide the appropriate safeguards, such as BCRs or standard contractual clauses.

And that’s it. You now know everything I do about GDPR, how to implement it and how not to fall foul of its laws. All of my information comes from my studies on this free course, provided by the University of Groningen, which I would thoroughly recommend taking part in.

How To, Training reviews

What is the difference between Controllers and Processors in the GDPR?

Welcome to Week 3 of my mini-series on aspects of the GDPR, the new data protection rules that come into force on 25th May 2018. This week, we are looking in depth at the differences between controllers and processors. You can view Week 1 and Week 2 by clicking on their links.

What is the difference between Controllers and Processors in the GDPR?
By Jonannes Plenio

The basic difference between controllers and processors is as follows:

controller determines the how, why and what of data processing. They are known as a joint controller if two or more people have this role.

A processor is responsible for the actual data processing as per the controller’s instructions. They do not make any decisions and must not make data available to anyone other than the controller without the controller’s permission.

Because controllers and processors have different roles, they also have different obligations. As processors are the worker bees, their obligations are much simpler. A processor must do the following:

  • comply with the GDPR and show how they have complied
  • maintain processing records
  • appoint Data Protection Officers if required
  • work with supervisory authorities
  • ensure security of data

A controller’s list of obligations is much longer: They must consider the nature, scope, context and purpose of processing, alongside any risks and the potential impact on human rights. Data security must be built into processing right from the beginning. This is known as Privacy by Design. If there is a data breach the controller must notify a supervisory authority within 72 hours. The details of the breach need to include what happened, how many subjects were affected and what data was breached. Include the name and contact details of the controller or the DPO if you have one. Highlight the potential consequences and measures taken. Data subjects must also be informed of the breach if there is a high risk to their rights and freedoms.

Controllers must provide data subjects with any information they request. Subjects must be given the following details:

  • controller’s identity and contact details
  • DPO’s contact details (if the organisation has one)
  • purpose and legal basis for processing
  • who data will be given to
  • if data will be transferred outside EU
  • why personal data is required and what consequences there will be if subject doesn’t provide such data
  • what rights the subject has
  • whether any decision-making is automated
  • if data will be used for another purpose in future

If data is not directly obtained from the subject then the controller needs to provide information on where it was obtained from, unless EU law states data must remain confidential or it would be impossible to do so (such as when undertaking a large study of public statistics).

If you are a joint controller then you have joint liabilities. Evidence must be provided to supervisory authorities that GDPR is being complied with. Organisations should document their policies and keep a record of all processing. While any organisation can appoint a DPO to help with compliance, you must appoint a DPO if your processor is a public body, there is large amounts of data being processed, or the data is categorised as special or it relates to criminal activity.

The DPO acts as a monitor to the data collection process, ensuring GDPR compliance and as such must be a person whose qualifications are recognised under the GDPR.

Controllers must maintain records of all processing (exemptions apply to small businesses but it’s worth recording anyway). These records must include:

  • controller’s name and contact details
  • why data is being processed
  • categories of subjects, date and recipients
  • whether data will be transferred outside the EU and how this will be done
  • projected time till data erased
  • basic details of technical and organisational security measures, to include; risk assessment and considerations of costs and implementation of processing

A Data Protection Impact Assessment (DPIA) must be carried out by the controller if the process may cause a high risk to the subject’s rights and freedoms, such as when using an automatic process. The DPIA must contain a description of the processing, an evaluation of the processing in regards to its purpose, and an evaluation of the risks and proposed measures to be taken to address these risks.

A DPIA is not required for processing carried out for legal compliance or in the public interest.

If the DPIA indicates a high risk to subject’s rights and freedoms and then the controller must consult with the supervisory authority before beginning processing. This is Prior Consultation. The controller must inform the supervisory authority of what responsibilities the controller and processor have, why and how data is being processed, any measures taken to protect subject’s rights, the DPO’s contact details (if there is one), the full text of the DPIA and any other information as requested by the supervisory authority.

Companies outside of the EU intending to process data on EU citizens must appoint a representative within the EU to ensure GDPR compliance. This doesn’t apply to public bodies, processing which is occasional, large-scale processing of special categories or criminal data.

I hope this has been a helpful overview of the different tasks a controller and a processor have. The information comes from my work on a free online course from the University of Groningen, which you can access here.

How To, Training reviews

How to make GDPR easy: Focus on data subject’s rights

Welcome to Part 2 of my series on the GDPR, the EU’s new rules on data protection which come into force on 25th May 2018. You can read Part 1 here. For Week 2 of the University of Groningen’s free course, accessible here, we focussed on the rights of data subject’s. I have provided a summary of these rights in this blog post.


How to make GDPR easy: Focus on data subject's rights | Prior Portfolio | Vicky Prior - Freelance Writer

First up, all data controllers must meet transparency and modality requirements. For transparency, data subjects must be provided with clear information on how their data will be collected, processed and used. For modalities, controller’s can give data subject’s information either written or orally once the subject has proven their identity. Information should be given free of charge unless it is an ‘unfounded or excessive request’ or the request is repetitive. One electronic copy of personal data may be given to subject free of charge. Additional copies can be charged at a small fee.

Data subjects rights can be restricted if the data is being collected in the interests of the public, for example, taxation or national security. Controllers must prove the need for restrictions to be put in place. Unsurprisingly, national security is expected to be the most widely used right of restriction.

Right to access

Data subjects can find out what, how and why data has been collected, how long it is stored for and who will access it.

Right to object

Data subjects can stop the processing of their data. Controllers can appeal this stoppage if they can prove the purpose of the collection overrides the rights and freedoms of the subject.

Right to restriction of processing

This differs from stopping processing outright and happens when the subject notifies the controller the data is inaccurate, if unlawful processing has occured, when data is no longer needed by controllers but subjects need it for legal matters, or when there is a dispute over whether data should be collected.

If data processing has been restricted, then data can be; processed but not stored in order to establish subjects legal claims, to protect others or if the collection is in public interest, as long as subject consents. Subjects must be informed by the controller when the restriction is lifted.

Right to erasure

This is more commonly known as ‘the right to be forgotten’ and happens in the following situations:

  • personal data is not necessary for purpose
  • subject withdraws consent with no overriding reason for continuing
  • subject objects to processing with no overriding reason for continuing
  • processing is unlawful
  • deletion needed to comply with law
  • data collected is to do with providing services to minors

The right to erasure does not apply if the controller has a right to freedom of information or is complying with EU or member state law, or if research is in public interest or part of a legal claim.

Right to data portability

Data must be given to subjects in a universal format so they can pass it to a new controller if they wish.

Right to lodge a complaint with a supervisory authority

If the subject thinks their data has been collected or processed in a way that goes against GDPR, they can lodge a complaint with the supervisory authority.

Right to an effective judicial remedy

The subject can bring judicial proceedings against the controller or processor if they are unsatisfied with the supervisory authorities handling of their complaint. The subject can also skip the supervisory authority altogether and go straight to a judiciary if they wish.

Right not to be subjected to a decision based only on automatic processing

Subjects can exercise this right is automatic processing will have legal consequences for them. This right is not applicable if the decision is either necessary for entering a contract, authorised by EU or member state, or the subject already consented. Under normal circumstances, controllers must help make decisions based on their knowledge so that the data processing is not solely automated.

Right to represented by organisations and others

Data subjects can engage not-for-profits to lodge complaints, receive compensation and exercise their rights on their behalf – this right only applies in these situations.

Right to compensation and liability

If a subject’s rights are proven to have been materially infringed, the subject must establish who is liable and request compensation. Controllers are normally liable unless it can be proved the processor acted independently. Neither are liable if events leading up to infringement happened before controller or processor was on board.

I hope these explanations of the right’s of data subjects have been useful. As before, every effort has been made to provide accurate information but if you do spot any errors, please let me know in the comments below.

How To, Training reviews

Why you don’t need to be afraid of the big bad GDPR

Welcome to the first part of a four-week series on how to comply with GDPR, the EU’s new rules on data protection. Week 2 is publishing today.

Why you don't need to be afraid of the big bad GDPR | Prior Portfolio | Vicky Prior - Freelance Writer
by Marius Masalar

On 25th May 2018, every business in the UK must be compliant with new rules called GDPR. The rules have actually been around for nearly two years, so quite why us Brits are only hearing about it now is a mystery to me. It might have something to do with the GDPR being an invention of the EU, however, and this is really important:

GDPR COMPLIANCE IS NOT AFFECTED BY BREXIT

The rules apply to any data of EU based citizens or companies even if said data is held by a business outside of the EU. So get complying. Luckily, I’ve been working through an excellent online course and can help you not be scared of the big, bad, GDPR.

By now you’re probably sick of those four little letters, so here is what they stand for. GDPR means General Data Protection Regulation. Which isn’t that complicated when you think about it. The old laws on data protection needed updating as everyone is using digital these days, and the software outstrips the old laws. So GDPR is an easy way of clarifying the existing laws, not a shiny new thing. As with most data protection laws, it boils down to common sense. Over the next four weeks, I’m going to be sharing what I’ve learned from the University of Groningen’s GDPR course, to help you achieve compliance.

First up, the GDPR expects that all data collection software used by companies must have privacy options built in from the beginning. This is known as Privacy by Design. Privacy will be the default option and the aim is to prevent privacy breaches from occurring, rather than fixing the breach if it does. Examples of Privacy by Design include VPNs, encryption and authentication.

Technically, the GDPR applies to natural persons and not companies, however it would apply to members of staff of a company, so in this way company data is often covered.

The GDPR covers data processing carried out by computer or manually. But it does not cover activities carried out
– for national security
– to prevent conflicts
– to aid political cooperation
– to provide humanitarian aid
– in the home for personal reasons (such as keeping an address book of friends and relatives)

You do not have to sell a product for GDPR to apply. If your goods or services are given free of charge, you still need to comply with the rules.

GDPR applies to ‘any information’ including but not limited to a person’s name, gender, occupation, email address, and health, whether it is stored digitally or not. Any data that could be used to identify, whether directly or indirectly, a natural person, must be protected. These rights do not apply to anyone deceased.

Understandably, extra care must be taken with data categorised as ‘special’ or ‘sensitive’, to include; racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life, sexual orientation.

The people in charge of data processing, including deciding how it will be processed and why, are known as data controllers. The people who actually do the processing, according to the controller’s wishes, are data  processors. Processors that process the data on behalf of the controller must maintain a record of processing and ensure its security, but they do not have to implement other principles of processing as this will be done by the controller. If you are a self-employed freelancer like me, you get to be both controller and processor. Yippee!

The special term for natural persons whose data will be processed is a data subject. A Data Protection Officer (DPO) will be appointed by the controller to ensure compliance with GDPR, chosen for their specialist legal knowledge. As the DPO must have qualifications recognised by the GDPR, freelancers will most likely have to appoint an outside agency for this role.

To wrap up Week 1, the course set out the GDPR’s six main principles of data protection. These are:

1) lawfulness, fairness, transparency (be clear and concise, data subjects must know you are collecting)

2) Purpose limitation (only collect data for specified purpose, don’t use data for another purpose)

3) Data minimisation (don’t collect more than you need)

4) Accuracy (inaccurate data must be deleted ASAP)

5) Storage limitation (don’t store for longer than necessary)

6) integrity, confidentiality (Keep data secure)

A further principle of accountability means the buck stops with data controllers. If the controller does not comply with the GDPR, they are the ones in big trouble.

One final note, data subjects must freely give their consent to have their data processed and controllers must be able to prove consent was given. In the case of the minors under age 16, consent must be given by a parent or legal guardian.

I hope this run through was helpful to you in implementing GDPR at your business. This blog is based on my notes from Week 1 of this course, which you can join for free. I have endeavoured to make sure everything is accurate, but if any errors have occured, please let me know in the comments below.