Visiting With SKW Schwarz at IAPP’s Global Privacy Summit

Hunter Ferguson and I were joined by Dr. Matthias Orthwein and Dr. Volker Wodianka at IAPP’s Global Privacy Summit 2018.  We had many interesting discussions about GDPR, German data privacy law and DPO services. Our firms, Stoel Rives LLP and SKW Schwarz Rechtsanwalte are members of TerraLex ®, an international network of 155 leading independent law firms serving the business needs of clients around the globe. You might find SKW Schwarz’s Introduction to the German Federal Data Protection Act to be useful if you are doing business in Germany!

France – CNIL

France’s Commission Nationale de l’Informatique et des Libertés (“CNIL”) provides great tools and resources as well.

Germany – BfDI

Germany’s Bundesbeauftragte für den Datenschutz und die Informationsfreiheit published the Federal Data Protection Act to adapt GDPR. Germany provided some extensive guidance on GDPR here. Germany also publishes the standard data protection model, SDPM, in English on its site. Also available from the site are guidance materials about GDPR from the German Data Protection Conference, Datenschutzkonferenz or DSK:

  1. List Of Processing Activities
  2. Supervisory Powers / Sanctions
  3. Data Processing Of Personal Data For Advertising:
  4. Data Transmission To Third Countries:
  5. Privacy Impact Assessment:
  6. Right To Information Of Data Subjects, Article 15 DS-GVO
  7. Market Place Principle: Regulations For Non-European Companies
  8. Action Plan “DS-GVO” For Companies
  9. Certification According To Art. 42 DS-GVO
  10. Duty To Provide Information In Third-Party And Direct Collection
  11. Right To Cancellation / “Right To Be Forgotten”
  12. Data Protection Officer For Responsible Persons And Order Processors
  13. Employee Data Protection
  14. Video Surveillance
  15. Order Processing, Art. 28 GDPR
  16. Joint Data Controller, Art. 26 GDPR
  17. Special Categories Of Personal Data


The United Kingdom’s Information Commissioner’s Office (“ICO”) is a great resource for companies looking for clear DPA guidance. The ICO has provided a Guide to the GDPR which is very targeted and comprehensive as well as resources for organizations including several guides. Getting Ready For GDPR Resources is a nice package of information prepared by the ICO to assist smaller companies. Companies can also quickly report breaches when necessary. The ICO also provides a search capability of the Register Of Data Controllers.

Article 29 Working Party

The European Commission – Data Protection links to the Article 29 Working Party Guidelines which supplement our understanding of GDPR:

Additional “News” from the Art. 29 WP may be found here. Despite prominence on the Commission’s website, the Commission stated on December 12th, 2017 that the Art. 29 WP does not speak for the Commission (see here). Guidance, opinions and other statements of the Art. 29 WP are generally given a great deal of attention by those affected by GDPR because it is composed of the following:

  • A representative of the supervisory authority(ies) designated by each EU country;
  • A representative of the authority(ies) established for the EU institutions and bodies;
  • A representative of the European Commission.

On March 27, 2018, the Commission posted a new link to the Article 29WP archives from 1997 to November 2016.

European Commission – Data Protection

The European Commission – Data Protection provides links to EC data protection policies, information and services.  The Commission provides the official GDPR text in multiple languages, describes the European Data Protection Board and its responsibilities, provides detailed guidance and resources on data transfers outside the EU, and some focused discussion of the changes to the EU data protection rules as a result of GDPR, including:



The Commission provides an interactive infographic with a countdown clock that is a glossy overview that could be useful for a very high level overview of GDPR and its implications to companies. Recently, on March 7, 2018, the Commission updated their  Overview of the National Data Protection Authorities where you can find links to each DPA. Note that many of the DPAs provide their resources in their county’s language, and not in English.

List of Pending 2018 Breach Legislation

While we have yet to see much in the way of major changes (or punishment) following the massive Equifax data breach last year, there are many changes being introduced at the state level with regard to breach notification, penalties, whether or not credit reporting agencies can charge you for freezing your credit, and consumer rights in general.  After all, legislators are consumers too. For a quick reference of the legislation being considered in states where you might be affected, bookmark this page:

Email tracking services – are they really worth it?

As illustrated in this recent article in Wired, email tracking services and their counterparts, anti-tracking services, have been rapidly gaining ground on the web; to the point that 40% of all email being sent, and 99% of the majority of the emails you receive (newsletters, marketing materials, notifications and transactional emails) are now being tracked. There’s even a 16% chance any conversational email you receive from your professional contacts, friends, family, etc. is being actively tracked. Most if not all of this, without your consent.

Whether or not services like this are good or evil is really subjective, however if your organization is considering (or already using) an email tracking service, also consider the following:

  • Is the data being gathered without informed consent?
  • If so, have you reviewed your risk exposure with regards to complying with privacy regulations that require informed consent for obtaining information in this manner, such as GDPR and COPPA?
  • What action might the recipients take if they found out you were collecting this information?
  • What audit controls are in place to ensure the information being collected is not being misused?
  • How did you determine the value of the data you are collecting outweighs these risks?
  • Are you in compliance with rules and regulations related to marketing, such as the CAN-SPAM Act and the UK’s Privacy and Electronic Communications Regulations of 2003?
  • If you are adverse to the idea of your organization being tracked, do you have any controls in place to combat this threat?

If you have specific questions about email trackers and the potential risks of using or resisting them, please reach out directly to me or Amy Carlson.

How does your leadership remain aware of cyber security threats?

Some notable stats showed up in the recently-released 2017 Veracode State of Software Security report: while “nearly a third (29 percent) of survey respondents indicated that they are actively pursuing digital transformation projects [and] … a further 29 percent stated that they are either planning for or considering digital transformation projects for the future,” there still seems to be a significant knowledge gap among business leaders with respect to the threats that prominent cyberattacks pose to their organizations. Only 14% of business leaders in this report were aware of the Dyn attack that brought down large swaths of the Internet back in October 2016, and a paltry 8% of those surveyed were aware of the patchable Apache Struts vulnerability exploited in the Equifax data breach.

If executives sponsoring software development and/or acquisition projects do not have at least a basic level of awareness of cyber security threats, they will fail to ensure that application security is successfully built into those projects. Veracode’s survey also found that 65 percent of all internally developed applications did not successfully address the OWASP Top 10 security vulnerabilities. Ensuring your applications are securely designed to avoid these vulnerabilities should be considered a baseline requirement of any software development project. Asking for evidence of secure coding practices from any software supplier should be a baseline requirement of any RFP.

To stay well-informed about cyber security threats, vulnerabilities, trends and risk mitigation strategies, we recommend:

  • Subscribing to alert/advisory feeds like US-CERT, ICS-CERT, The National Vulnerability Database, etc.
  • Joining an information sharing organization – your industry may have an ISAC already; Stoel Rives is a member of the LS-ISAO
  • Following prominent security professionals with easily-digestible blogs, like Bruce Schneier and Brian Krebs
  • Meeting regularly (at least quarterly, but monthly is better) with the person or vendor in charge of your information security program to review threats and action plans
  • Conducting annual risk assessments using a qualified third party to get independent, expert feedback on your overall security posture
  • Requiring all members of your organization participate in regular cyber security training