Tag: GDPR

Good Data Governance: Balancing rights and interests

 

Good data governance provides your company with reliable value. Likely so, a laissez-faire approach to data policy is likely to deteriorate your data’s reliability, your company’s competitiveness – and your overall revenue. What, then, defines good data governance?

European Data Protection Congress 2017 in one lesson

This question was a central theme at the International Association for Privacy Professionals’ annual Europe Data Protection Congress in Brussels, earlier this month. Amidst its speakers were several prominent figures from the academic, public, commercial, and legal arenas. These included the European Data Protection Supervisor, the NSA’s Privacy & Transparency Officer; security and privacy directors of IT giants such as Facebook, Microsoft, and IBM; as well as leading legal figures from renowned law offices and academia.

So, what brought all of these perspectives and interests together? No matter the differences in expertise and angle, each session repeatedly taught he same fundamental lesson: the GDPR is to be considered an opportunity to enable proper data governance in an atmosphere of responsibility and accountability.

State-of-the-art data governance

These values of responsibility and accountability are translated into explicit requirements in the GDPR – in particular Transparency (Article 12) and the rights of data subjects (Articles 13 to 22). These articles can be considered providing ‘active rights’ in the sense that those from whom the data originates (‘data subjects’) may actively pursue these rights with the the data controller. The data controller must comply of course. The GDPR was designed so that that any organisation within its scope must guarantee the rights of the data subjects.

This leads to the interim conclusion that modern-day data governance encompasses not only the processes of data collection and processing. It must also stipulate an up-to-date accountability framework, while keeping track of the goals, legal grounds, and protective measures (the ‘what, why and how’) related to all processing.

What is interesting is how compliance with these data subjects’ rights also actively protects the data controller’s own interests. Time to take a closer look.

First phase: the ‘absolute’ right to access

Any natural person who believes that a data controller is processing his or her data, can ask the controller whether that is indeed the case. If so, the data subject has the right to access this data. The controller provides this data, and must also inform the data subject on the purposes of processing, the categories of personal data being processed, for how long the data is kept, to whom the data may be disclosed, whether or not profiling is done, and the possible consequences that it may have on the personal life of the data subject. Moreover, the controller is also in charge of notifying the data subject on its other rights.

Second phase: Killing two birds with one stone

After having accessed its data, the data subject has some options. S/he may just leave things as they are. Alternatively, s/he may invoke other rights. To highlight the importance of good data governance, we emphasize the right to erasure and the right to object.

Right to erasure

The data subject may invoke its right to erasure, perhaps better known as the ‘right to be forgotten’. Indeed, when granted, all personal data of the data subject must be erased by the controller. However, this does not mean that the controller must comply with such a request right away, at all times. The right called upon by the data subject is not an absolute right; it must be balanced against other rights and interests. This is why, as a controller, it is of vital interest to have one’s data governance up-to-date. Let’s see how this works out, using two contexts as case-studies.

Context 1: Data subject rights v. data controller interests

Before it can be executed, the right to erasure must be balanced against the interests of the data controller. The right to erasure can only be invoked if the personal data are no longer necessary in relation to the purposes for which they were collected or processed, or if the processing happens unlawfully, or if erasure is required by another law. This means that the controller may have compelling reasons (legitimate interests) which allow it to continue processing. Even when the processing happens on the basis of the data subjects’ consent which it then revokes, the data will not be simply erased if there is another legal ground for its processing.

Context 2: Data subject rights v. other fundamental rights

The right to erasure cannot be executed when the processing is necessary to exercise the right of freedom of expression and information. Also, when the controller processes the data to comply with other legal obligations, or when processing is necessary for reasons of public interest in the area of public health, the data may not be erased.

Right to object

Another fundamental, but non-absolute right of the data subject, is the right to object to processing of his/her data. One precondition applies: the legal ground for processing must be either the controller’s legitimate interests, or the performance of a task carried out in the public interest or in the exercise of official authority, vested in the controller. In other words: if the data subject has previously consented to the processing, s/he cannot simply object. S/he must then walk a different route, starting with the revocation of his/her consent.

Balance: interests, rights, and freedoms

If the data subject objects processing, the controller must stop this processing. However, if the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, it may not have to do so. Again, this is a matter of balancing rights and interests, and of preparation.
If this preparation is not in place, each request will probably result into a temporary ‘restriction of processing’ until more clarity is obtained – risking either non-compliance or damaged interests. However, if the controller has a proper preparation and documentation of all its processing activities, it knows whether or not to comply, wholly or in part, with the requests it receives, as well as the legal, financial, and operational consequences.

Good data governance

Good data governance enables transparency while preparing and protecting your organization against uncertainty within the legal, financial, an operational domains. Careful preparation and documentation of the rights of your data subjects has many advantages.

Good data governance:

  • guarantees your data subjects’ rights (and associated reputation increase/decrease);
  • protects you as a data controller from unjust attempts to restrict your data processing activities (which may even make you lose your compliance with other laws);
  • provides an overview of your processing activities, its values, and its financial, legal, and operational consequences.

Preparing your organization for a future of sustainable data management is only sensible. If you like a free-to-use indication of your current status, check out our GDPReadiness Assessment.

Start assessment:

Check out our GDPReadiness Assessment!


Do you want to know how your business’s CRM is doing on the road towards GDPR compliance? Check out our Trueson GDPReadiness Assessment – no commitments or strings attached of course.

Last week, the European Data Protection Congress 2017 took place in Brussels. Our GDPR compliance consultant Arjun attended. When in a session with the European Data Protection Supervisor, mr. Giovanni Buttarelli, the following question arose:

Member of the audience:

Our experience working in the business side is that some companies are saying “we’ll wait who gets fined first before we get to complying with the GDPR”.

Giovanni Buttarelli:

This is the best, in terms of a suicide approach. Fines will come, but that is not even the main problem; reputation is. The emphasis will be on trust and confidence. The implementation cannot be improvised and takes time.

In roughly half a year, the GDPR goes into effect. The perfect opportunity to combine compliance with the practice of good data governance, efficiency, and insights. The GDPR applies to your business as well, so hopefully you started preparations. You may have questions: where should we start, and what exactly do we need to do?

How about we help you with that – right now, for free, without any commitments.

If you want to know your current status on the road towards GDPR compliance, you can find out now. We have designed a concise and comprehensive assessment; at the end of the assessment, you will be presented an indication of your current level of readiness. If you want any specific information or more detailed feedback, we are happy to do so as well.

Start assessment:


NRC: “Plotseling is iedereen privacy-expert”

(Scroll down for English)

Onze GDPR Compliance & Security Consultant Arjun Swami Persaud mocht vandaag een bijdrage leveren aan een artikel in het NRC. Hieronder een korte samenvatting en een link naar het artikel.

Het komt steeds dichterbij – 25 mei 2018, de datum waarop de nieuwe Europese privacywetgeving van kracht wordt (de AVG, in het Engels GDPR). Naarmate deze datum nadert, neemt ook het aantal organisaties toe dat belooft om je zorgen hieromtrent weg te nemen – voor een prijsje.

In het artikel wordt geschat dat, alleen in Nederland al, er structureel enkele duizenden Functionarissen Gegevensbescherming nodig zijn vanaf eind mei. Vanwege een gebrek aan officiële certificeringen is het echter onduidelijk hoe te bepalen wie er gekwalificeerd is. Dit punt hebben we ook besproken in ons laatste weblog over de AVG en deze functie. De consensus is dat ervaring en kennis in het werkveld in ieder geval zwaar wegen.

Het volledige artikel is hier te lezen.

English text

Our GDPR Complaince & Security Consultant Arjun Swami Persaud contributed to a news article in the Dutch newspaper NRC. Here you can find a short summary, as well as a link to the (Dutch) article.

Now that the effective date of the GDPR – 25th of May 2018 – comes ever closer, the Regulation increasingly gains significant attention. A plethora of new offices claims to be able to magically solve your company’s GDPR worries – for a fee of course.

The article mentions that it is estimated that in the Netherlands alone, several thousand privacy officers will be needed structurally. However, due to the lack of official certification, it is unclear by what standards you can judge whether or not someone is qualified. This was also a point of attention in our last blog post on GDPR and the Data Protection Officer. Consensus is that you should choose a company with the experience and know-how in your field.

You can read the full article here (in Dutch).

7 months to GDPR: Why your company needs a DPO right now

 

Many companies are currently considering, or looking to recruit, a Data Protection Officer (DPO) in their journey towards GDPR compliancy. A common misconception is that only companies with at least 250 employees would need one. Those are outdated (and potentially damaging) facts. Be cautious and double-check all the info you get – and assume your company needs a DPO as well!

Who is this DPO?

Summarized, the DPO monitors the organization’s compliance with the GDPR. In a bit more detail, the DPO:

  • works cross-departmentally;
  • reviews the company’s policies and practices;
  • performs internal audits;
  • is involved with, and provides advice on all issues regarding the protection of personal data;
  • reports to the highest levels of management;
  • is the organization’s official contact to cooperate with the Data Protection Authority.

Being a sui generis within the organization, the DPO enjoys specific rights and protections to properly execute his or her tasks. S/he may not be instructed on how to do exercise his or her tasks by management, and may not be dismissed or penalised for doing so. This is deliberately inconvenient for companies seeking to interpret the Regulation a bit more ‘pragmatically’.

Mandatory luxury?

Considering the short time left to reach compliance, there is a surprising lack of official certification methods for DPOs. Whereas multiple organizations provide crash courses, be aware that none of these has as of yet received a certification status by official certification bodies. As a ground rule, experience in and knowledge of relevant law, data security, and organizational consultancy should constitute fundamental characteristics of a good DPO.

Despite this presumed lack of certified DPO’s, it should be no luxury to consult one these days. Proper governance of personal data is either a dealmaker or dealbreaker in most industries. These ‘deals’ are spiced up a bit by the GDPR – as you might have guessed already. We know that the appointment of a DPO will be a significant weighing factor for Data Protection Authorities (DPAs), when verifying GDPR compliance. Moreover, the DPAs from the UK (ICO), the Netherlands (AP) and Canada (OPC) are currently working on building an international framework of cooperation for enforcement[1] of the GDPR. Proper understanding and adherence is clearly recommendable.

You may wonder why Canada and the UK as (future) non-EU member states, bother to spend resources on enforcing the European data regulation. Just remember that the GDPR does not just affect companies with an establishment in the European Union, but any company, wherever on this globe it may be based – as long as it is in any way involved with the processing of data of subjects in the European Union. This scope could potentially include about any organization, so let us draw a clear image of what this means in practice.

Ambiguity and guidelines

Unfortunately that was easier said than done. The most straightforward text on DPOs can be found in Articles 37 to 39. In some national jurisdictions, appointing a DPO was already mandatory pre-GDPR. In the GDPR doing so is an absolute necessity, pan-Europe and abroad, if the rights conditions are met. The GDPR is somewhat vague on these conditions and more guidance was needed to translate the spirit of the law into a more practical interpretation. Two questions stand out specifically, both referring to article 37(1)(b)

  • What is understood by monitoring of data subjects as part of a business’s “core activities”?
  • How should we interpret this monitoring of data subjects “on a large scale”?

The WP29[2] recognized this ambiguity, and published additional guidelines in April 2017. Its three directions:

  • Appointing a DPO is considered good practice and is encouraged, even when not required;
  • Appointing a DPO is mandatory when data processing is part of a business’s core activity;
  • If a business requires some sort of processing personal data to achieve its primary goals, then such processing is considered a core activity.

Let us now formulate an answer to our questions, using the case of PharmXample.

Case: PharmXample

PharmXample is a pharmaceutical company focused on the manufacturing, marketing and sales of generic drugs throughout Europe and South Africa. Would you say that a PharmXample core business is processing personal data? Probably not. However, one of its core activities is the marketing and selling its innovations. To do so, PharmXample representatives require access to, and use of, physicians’ data. Despite this data being B2B, the data identifies natural persons, and is therefore within scope of the GDPR. Without these activities, PharmXample would not be able to sustain itself. Processing personal data is therefore inextricably linked with one of PharmXample’s core businesses, and a DPO is required.

With regard to the ‘large scale’: the WP29 notes the expectation that over time, a standard practice may develop when it comes to determine what exactly is understood by it. For now, companies are left to determine this for themselves. This makes it risky to assume you are on the safe side. Keep in mind the guidelines and realize that when audited, the logic of GDPR demands you to prove that you are explicitly exempted, rather than vice versa.

Appointing a DPO

So, you decided that it would be wise to hire a DPO, how would you go about doing so? You may choose to either hire your own full-time DPO, or to hire one externally based on your budget, needs, and context. As of now, there are (still) no clear guidelines on how to recognize a qualified DPO – other than references and experience. We expect that from 2018 on, there may be more clarity on official DPO-certifications.

We think that the question should not be if you need a DPO to be compliant; if anything, the DPO provides a terrific opportunity to prepare for the future – where strategic, sustainable and accountable governance of personal data determines long-term success.

[1] https://autoriteitpersoonsgegevens.nl/nl/nieuws/privacytoezichthouders-wereldwijd-versterken-samenwerking-bij-handhaving

[2] https://en.wikipedia.org/wiki/Article_29_Data_Protection_Working_Party

 

GDPR, Obligations of Controllers and Processors

The GDPR brings many new rules and obligations. On the other hand it also adapts, specifies, eases, or removes many rules from previous privacy regulations.
As with previous privacy regulations, the GDPR distinguishes two types of organisations: data controllers (Article 4(7)) and data processors (Article 4(8)). It is very important to understand whether your company is a controller or a processor, because each has different obligations under the GDPR. In short, a data controller determines the purpose(s) and means of the processing of personal data, whereas a data processor processes personal data on behalf of the controller.

Let’s explore the most important obligations under the GDPR.

Obligations as a data controller

As a data controller…

  • You must, of course, make sure you process personal data in compliance with the GDPR (Article 6(1)).
  • You may only process personal data that is adequate, relevant and limited to what is necessary for the purposes for which they are processed (Recital 39).
  • You should implement appropriate security measures to protect the personal data you process against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access (Recital 83 & Article 32).
  • You should implement data protection measures, both during the planning phase of processing activities of personal data, and during the implementation phase of any new product or service. This is known as the principle of “Data protection by design” and “Data protection by default” (Recital 78 & Article 25).
  • You are required to keep records on all your processing activities involving personal data (Recital 82, 89 & Article 30).
  • Consider carrying out a Data Protection Impact Assessment (DPIA) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons (Article 35). Our next blog examines the DPIA in more detail.
  • You may be required to appoint a Data Protection Officer (Article 37, 38, 39). A later blogpost will be dedicated to this newly introduced function.
  • When working together with a processor, both you and your processor have to guarantee compliance with the GDPR. This must be made explicit in the contract between controller and processor.
  • You should familiarise yourself with the rules on cross-border data transfers, as these are much stricter under the GDPR (Article 44-50).
  • You have to report any incidence of a data breach within 72 hours to the authorities and to the affected data subjects (Article 33, 34).

Obligations as a data processor

As data processor, the most important rule is to process personal data according to your contract with the data controller, and in no other way (Article 29). Under previous regulations, data controllers could be held responsible for both their own actions, as well as for those of their data processors. Under the GDPR, processors are held accountable for their own actions.

If you are a data processor, heed the following:

  • As with data controllers, you must implement appropriate security measures (Recital 83 & Article 32), keep records (Recital 82, 89 & Article 30), carry out Data protection Impact Assessments (Article 35), adhere to obligations regarding Cross‑Border Data Transfers, and possibly appoint a Data Protection Officer (Article 37, 38, 39).
  • If you suffer a data breach, this must be reported to the controller “without undue delay” (Article 33).  This timeframe should be specified in the contract with the controller, to make sure you are both on the same page as to what this means.
  • If you want to use a sub-processor, you need prior written consent of the controller (Article 28(2) & 28(4)).
  • If you believe that its controller’s instructions conflict with the requirements of the GDPR, you must immediately inform your controller (Article 28(3)).
  • The controller has the right to do a security audit when it wants you to demonstrate compliance with the GDPR (Article 28(3)(h)).

Additionally, if a processor undertakes data processing operations for which there is no explicit consent by the controller, the processor is considered by law to be a controller itself, with all corresponding obligations and consequences.

What does this mean for you?

The next step for your company, regardless whether you are a controller or a processor, should be to check the personal data you already have, and how you are currently processing. Even the saving or keeping of data ‘for later’ is considered processing! Take a thorough look at the processes you currently employ. There is a chance they are in need of an update to be compliant with the obligations demanded by the GDPR. If this is the case, action is required.

In our next blog, we will continue our examination of the new obligations, by exploring the requirements and benefits of Data Protection Impact Assessments.

 

GDPR, and the rights of data subjects

In this blogpost we will talk about the rights of data subjects. The GDPR introduces some new rights, and expands the already existing ones. As a company it is crucial to understand these rights, as they might have a big impact on your processes and systems. Let’s discuss some of the most important rights of data subjects under the GDPR:

  • The right of access (recital 63 and article 15 of the GDPR)
    Data subjects have the right of access to their personal data. A complete list of the information your company must be able to provide can be found in article 15 of the GDPR.
  • The right of rectification (article 16 of the GDPR)
    Data subjects have the right to rectification of inaccurate personal data. As a company, you must erase or rectify inaccurate personal data from your systems on the request of the data subject.
  • The right to erasure (article 17 of the GDPR)
    Data subjects have the right to be “forgotten” under certain circumstances, which can be found in article 17(1) of the GDPR. This means your company must be able to delete a person’s personal data from your systems. Under certain circumstances your company must keep some or all of the personal data. These circumstances can be found in article 17(3) of the GDPR.
  • The right to restrict (article 18 of the GDPR)
    Data subjects have the right to restrict the processing of their personal data under certain circumstances, which can be found in article 18 of the GDPR.
  • The right of data portability (article 20 of the GDPR)
    The data subject has the right to request his/her personal data from a controller, so he/she can transmit it to another controller without hindrance.
  • The right to object (article 21 of the GDPR)
    A data subjects has a right to object to the processing of their personal data. Pay extra attention to this right if your company uses either “public interest” or “legitimate interests” as the lawful basis for processing personal data. Article 21 of the GDPR explains this right in more detail. Under the right circumstances, if your company can show that it has compelling/legal grounds to continue the processing, you do not have to stop your processing activity.

As a company you must meet these requests of data subjects, but it is very important to identify the data subject before you act upon his/her request. When a request is made, you have one month to provide the requested action, and should do so free of charge. And, as always under the GDPR, you must provide all information concise, transparent, intelligible and in an easily accessible form, using clear and plain language.

We hope you found our blog informative so far. In our next blogpost we will discuss the (new) obligations of organizations under the GDPR.

For more info about Trueson services, we recommend having a look here.

Another GDPR hot topic: Consent

 

In our previous blog post we discussed personal data and sensitive personal data.
We also explained what the GDPR says about the grounds on which personal data can be processed.

In this blog post we will dive deeper into this subject, focussing on the ground most focussed on in the GDPR: Consent.

Under previous privacy laws, consent was already a ground for legal processing of personal data. Under the GDPR this remains so, but more strict rules apply on consent. This means that if your company relied on consent as a means to legally process data before, you need to check if the way you obtain consent from data subjects is still compliant with the GDPR.

Review all your current contracts and general terms and conditions to make sure they comply with the GDPR. In article 7 of the GDPR, the 4 conditions for consent are explained:

The data Controller needs to be able to demonstrate that the data subject has consented to processing of his or her personal data. Meaning you should log proof of when and how you obtained consent, from whom, and for what kind of processing.

The request for consent shall be presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. This means no more big patches of text, and no more small print. If different processing activities take place, then the data subject must give consent for every separate type of processing.

For data subjects, it should be equally easy to give or withdraw consent. Meaning you should implement a process to deal with consent withdrawal requests, if your company didn’t have this already.

Consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent easily (without detriment). For example, authorities will assess if in a contract with the data subject the consent for processing activities is made conditional, whilst these activities are not necessary for the performance of the contract. Also, silence cannot be taken as consent anymore. Pre-ticked boxes, inactivity, failure to opt-out, or passive acceptance (acquiescence) are history under the GDPR.

It is important to check if the consent you received so far is in line with the rules of the GDPR. Note that it is stated in recital 171 of the GDPR that where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for data subjects to give consent again if the way that consent was given is in line with the conditions of the GDPR. Also note that for children, even more specific rules around consent are in place, which can be found in article 8 of the GDPR.

We hope you enjoyed this blog post. In our next, we will discuss the rights of data subjects.

GDPR, how sensitive personal data really is

Hi everyone. This week’s topic is on the nature of personal data. When your company starts working towards GDPR compliance, you must begin with mapping your data estate. What kind of personal data does your company possess? How sensitive is this data? And on what grounds are you processing it? To answer these questions, you must know how personal data is defined in the GDPR.

How is ‘personal data’ defined under the GDPR?
The exact definition in the GDPR of personal data can be found in Article 4(1):

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What is new about this definition is that three new identifiers are added to it: names, location data (data with a geographic position attached to it), and online identifiers (IP addresses, mobile device IDs, etc). Many companies have already treated these types of data as personal data, but under the GDPR these types of data are officially part of the definition of personal data.

When is personal data considered sensitive under the GDPR?
In article 9(1), the GDPR mentions a few types of personal data that should be prohibited to process, unless specific conditions have been met:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade-union membership
Genetic or biometric data
Health or sex life

These types of personal data can only be processed if specific conditions have been met, and should be processed with extra caution and safety measures. What’s new about this definition is that the GDPR includes genetic and biometric data (gene sequences, fingerprints, facial recognition, etc.).

On what grounds can personal data be processed? To process personal data, a data controller must meet at least one of the conditions found in article 6 of the GDPR:

a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) Processing is necessary for compliance with a legal obligation to which the controller is subject;

d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

A, b, and f are the conditions that most companies use to process personal data. Processing sensitive personal data, or what the GDPR calls ‘special categories of personal data’ in article 9, is prohibited unless more specific conditions have been met. These specific conditions can be found in article 9(2). In a later blog post we will elaborate further on the conditions of the processing of personal data and sensitive personal data.

Thank you for having read this entire blog post, as it was a bit a dry read. But it is an important aspect of the GDPR that will help you put our next blog posts in perspective. More (and fun to read) blogs will follow!



If you have any questions or comments, please fill out the form below.





We launched our new website,
and are excited to present you our new look

Trueson is proud to announce the launch of its new website. Check it out here: www.trueson.com

Our new website provides a clear message of who we are, what we offer, and our values when developing, delivering
and maintaining solutions. It is designed to easily navigate on a wide range of web browsers and portable devices.
And it has a new look showing the significance of our personal touch in collaborating with our customers, and the roots
of our company.

Trueson is evolving, and we made sure that information about our services is up to date and well structured.
In our News section, we introduced a series of posts to inform you about eg the nuts and bolts on GDPR, and going forward we will continue to place other relevant insights and updates.

We are proud of our new website and confident it will create the experience you are looking for when you visit us.
If you have any feedback, make sure to let us know!