Hunter Ferguson and I were joined by Dr. Matthias Orthwein and Dr. Volker Wodianka at IAPP’s Global Privacy Summit 2018. We had many interesting discussions about GDPR, German data privacy law and DPO services. Our firms, Stoel Rives LLP and SKW Schwarz Rechtsanwalte are members of TerraLex ®, an international network of 155 leading independent law firms serving the business needs of clients around the globe. You might find SKW Schwarz’s Introduction to the German Federal Data Protection Act to be useful if you are doing business in Germany!
France’s Commission Nationale de l’Informatique et des Libertés (“CNIL”) provides great tools and resources as well.
- CNIL recently updated its Privacy Impact Assessment (PIA) Guides which include application to connected objects, methodology, template and knowledge bases.
- CNIL also recently updated its PIA software tool in four languages that companies can use for compliance.
- CNIL provides guidelines for processors under GDPR: A Guide to Assist Processors.
- CNIL provides guidelines on Data Protection Impact Assessments as well as a useful DPIA infographic.
Germany’s Bundesbeauftragte für den Datenschutz und die Informationsfreiheit published the Federal Data Protection Act to adapt GDPR. Germany provided some extensive guidance on GDPR here. Germany also publishes the standard data protection model, SDPM, in English on its site. Also available from the site are guidance materials about GDPR from the German Data Protection Conference, Datenschutzkonferenz or DSK:
- List Of Processing Activities
- Supervisory Powers / Sanctions
- Data Processing Of Personal Data For Advertising:
- Data Transmission To Third Countries:
- Privacy Impact Assessment:
- Right To Information Of Data Subjects, Article 15 DS-GVO
- Market Place Principle: Regulations For Non-European Companies
- Action Plan “DS-GVO” For Companies
- Certification According To Art. 42 DS-GVO
- Duty To Provide Information In Third-Party And Direct Collection
- Right To Cancellation / “Right To Be Forgotten”
- Data Protection Officer For Responsible Persons And Order Processors
- Employee Data Protection
- Video Surveillance
- Order Processing, Art. 28 GDPR
- Joint Data Controller, Art. 26 GDPR
- Special Categories Of Personal Data
The United Kingdom’s Information Commissioner’s Office (“ICO”) is a great resource for companies looking for clear DPA guidance. The ICO has provided a Guide to the GDPR which is very targeted and comprehensive as well as resources for organizations including several guides. Getting Ready For GDPR Resources is a nice package of information prepared by the ICO to assist smaller companies. Companies can also quickly report breaches when necessary. The ICO also provides a search capability of the Register Of Data Controllers.
- Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01)
- Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01)
- Guidelines on the application and setting of administrative fines (wp253). In multiple language versions.
- Guidelines on Transparency under Regulation 2016/679 (wp260) [adopted, but still to be finalized]
- Guidelines on Consent under Regulation 2016/679 (wp259) [adopted, but still to be finalized]
- Guidelines on the Lead Supervisory Authority (wp244rev.01)
- Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
- Guidelines on the right to “data portability” (wp242rev.01)
- Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01)
Additional “News” from the Art. 29 WP may be found here. Despite prominence on the Commission’s website, the Commission stated on December 12th, 2017 that the Art. 29 WP does not speak for the Commission (see here). Guidance, opinions and other statements of the Art. 29 WP are generally given a great deal of attention by those affected by GDPR because it is composed of the following:
- A representative of the supervisory authority(ies) designated by each EU country;
- A representative of the authority(ies) established for the EU institutions and bodies;
- A representative of the European Commission.
On March 27, 2018, the Commission posted a new link to the Article 29WP archives from 1997 to November 2016.
The European Commission – Data Protection provides links to EC data protection policies, information and services. The Commission provides the official GDPR text in multiple languages, describes the European Data Protection Board and its responsibilities, provides detailed guidance and resources on data transfers outside the EU, and some focused discussion of the changes to the EU data protection rules as a result of GDPR, including:
- Rights for Citizens
- Rules for Business and Organizations
- What is Personal Data?
- What Does GDPR Govern?
- What Constitutes Data Processing?
- What Are Data Protection Authorities?
The Commission provides an interactive infographic with a countdown clock that is a glossy overview that could be useful for a very high level overview of GDPR and its implications to companies. Recently, on March 7, 2018, the Commission updated their Overview of the National Data Protection Authorities where you can find links to each DPA. Note that many of the DPAs provide their resources in their county’s language, and not in English.
Recently, I have been asked several times where there are good, official resources on GDPR. The following series of posts provide links to these resources. We will post additional resources from time-to-time.
While we have yet to see much in the way of major changes (or punishment) following the massive Equifax data breach last year, there are many changes being introduced at the state level with regard to breach notification, penalties, whether or not credit reporting agencies can charge you for freezing your credit, and consumer rights in general. After all, legislators are consumers too. For a quick reference of the legislation being considered in states where you might be affected, bookmark this page:
As illustrated in this recent article in Wired, email tracking services and their counterparts, anti-tracking services, have been rapidly gaining ground on the web; to the point that 40% of all email being sent, and 99% of the majority of the emails you receive (newsletters, marketing materials, notifications and transactional emails) are now being tracked. There’s even a 16% chance any conversational email you receive from your professional contacts, friends, family, etc. is being actively tracked. Most if not all of this, without your consent.
Whether or not services like this are good or evil is really subjective, however if your organization is considering (or already using) an email tracking service, also consider the following:
- Is the data being gathered without informed consent?
- If so, have you reviewed your risk exposure with regards to complying with privacy regulations that require informed consent for obtaining information in this manner, such as GDPR and COPPA?
- What action might the recipients take if they found out you were collecting this information?
- What audit controls are in place to ensure the information being collected is not being misused?
- How did you determine the value of the data you are collecting outweighs these risks?
- Are you in compliance with rules and regulations related to marketing, such as the CAN-SPAM Act and the UK’s Privacy and Electronic Communications Regulations of 2003?
- If you are adverse to the idea of your organization being tracked, do you have any controls in place to combat this threat?
If you have specific questions about email trackers and the potential risks of using or resisting them, please reach out directly to me or Amy Carlson.
Some notable stats showed up in the recently-released 2017 Veracode State of Software Security report: while “nearly a third (29 percent) of survey respondents indicated that they are actively pursuing digital transformation projects [and] … a further 29 percent stated that they are either planning for or considering digital transformation projects for the future,” there still seems to be a significant knowledge gap among business leaders with respect to the threats that prominent cyberattacks pose to their organizations. Only 14% of business leaders in this report were aware of the Dyn attack that brought down large swaths of the Internet back in October 2016, and a paltry 8% of those surveyed were aware of the patchable Apache Struts vulnerability exploited in the Equifax data breach.
If executives sponsoring software development and/or acquisition projects do not have at least a basic level of awareness of cyber security threats, they will fail to ensure that application security is successfully built into those projects. Veracode’s survey also found that 65 percent of all internally developed applications did not successfully address the OWASP Top 10 security vulnerabilities. Ensuring your applications are securely designed to avoid these vulnerabilities should be considered a baseline requirement of any software development project. Asking for evidence of secure coding practices from any software supplier should be a baseline requirement of any RFP.
To stay well-informed about cyber security threats, vulnerabilities, trends and risk mitigation strategies, we recommend:
- Subscribing to alert/advisory feeds like US-CERT, ICS-CERT, The National Vulnerability Database, etc.
- Joining an information sharing organization – your industry may have an ISAC already; Stoel Rives is a member of the LS-ISAO
- Following prominent security professionals with easily-digestible blogs, like Bruce Schneier and Brian Krebs
- Meeting regularly (at least quarterly, but monthly is better) with the person or vendor in charge of your information security program to review threats and action plans
- Conducting annual risk assessments using a qualified third party to get independent, expert feedback on your overall security posture
- Requiring all members of your organization participate in regular cyber security training