POPULARITY
3 episodes with gpdr
2 episodes with gpdr
2 episodes with gpdr
Det har i årevis været en af de mest udskældte lovgivninger, der har medført ekstremt meget bøvl og ekstraarbejde for virksomheder – og private. Men nu er den ansvarlige minister klar til at finde den helt store høvl frem, når det gælder EU´s databeskyttelseslov GPDR. Og erhvervslivet bakker op - selv dem der tjener penge på at rådgive om loven. Hør i denne Lyn-analyse, hvilke virksomheder, der især står til at få glæde af en slankere GPDR-lovgivning og hvor meget virksomhederne vurderes at bruge på at administrere de udskældte regler. Gæst: Simone Scheuer-Hansen, journalist, Finans. Vært: Mads Ring. Producer: Mads Ring.See omnystudio.com/listener for privacy information.
We always say that privacy and security are interrelated and there is no privacy without security. What is the role of the Data Security Council of India in terms of the security and privacy of people in India? How is innovation contributing to privacy implementations? And who better than CEO of DSCI Vinayak Godse to discuss all these aspects and the data privacy landscape in India. KEY CONVERSATION POINTS Intro What is GPDR in one word? GPDR beyond the legal and technological aspect What is the current Indian privacy landscape? The role of Data Security Council of India What are the challenges in India when it comes to privacy? Message to organization regarding data security and privacy Closing ABOUT THE GUEST Vinayak Godse is the CEO of Data Security Council of India. He has over 27 years of experience in Information Security, IT Transformation, Intelligent Networking and Telecom Infrastructure. Vinayak also leads the National Centre of Excellence (NCoE) for Cybersecurity Technology and Entrepreneurship, a joint initiative of DSCI and Ministry of Electronics & IT. NCoE is engaged in cybersecurity industry building, fostering security research and product engineering, and building an ecosystem for security entrepreneurship. He has been deeply engaged with all initiatives of DSCI with government stakeholders and sectoral regulators. He was instrumental in developing DSCI Security Framework (DSF), DSCI Privacy Framework (DPF) and DSCI Certified Privacy Lead Assessor (DCPLA), DSCI Certified Privacy Professional (DCPP) certifications and conducted many of these training programs. Prior to DSCI, he worked with the Global Consulting Practice of TCS in Information Risk Management and also worked as a Telecom Engineer at BSNL. He started his career as a lecturer in Electronics Engineering. ABOUT THE HOST Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high privacy awareness and compliance as a business priority. Selectively, Punit is open to mentor and coach privacy professionals. Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 30 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts. As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one's value to have joy in life. He has developed the philosophy named ‘ABC for joy of life' which passionately shares. Punit is based out of Belgium, the heart of Europe. RESOURCES Websites www.fit4privacy.com , www.punitbhatia.com, www.dsci.in Podcast https://www.fit4privacy.com/podcast Blog https://www.fit4privacy.com/blog YouTube http://youtube.com/fit4privacy --- Send in a voice message: https://podcasters.spotify.com/pod/show/fit4privacy/message
Nextcloud's big new customer, some last-minute surprises in GNOME 44, and Flathub's ambitious plans for 2023.
Nextcloud's big new customer, some last-minute surprises in GNOME 44, and Flathub's ambitious plans for 2023.
Annemarie is Director of Innovation for the Seetec Group. Before that, she was, Director of Policy and Strategy at Future Care Capital - a national charity that uses the insight gathered through evidence-based research to advance ideas that will help shape future health and social care policy to deliver better outcomes for society. We chat about what is under appreciated about libraries and how to think about public goods and common ownership of those goods. Annemarie discusses the idea of a Sovereign Health Fund and how to think about healthcare data as a public good, what trust is needed and how health value can be created by pooling data. We discuss the benefits and cons of social media, how tricky regulation is (partly because it always behind the times) and how there might be more benefits that commonly thought of. Annemarie talks about her work and Seetec's on the future of justice and how leveraging data and digital technology can help shape a better justice system and also prevent re-offending. She offers insights in to how new technology is creating new forms of crime and whether more careful thinking can prevent these types of crime from occuring. How will crime in the metaverse work out? We chat about how different ownership models and for-profit or not-profit can shape the purpose and outlook for employees. The importance of optimism and the sense of looking after something for the next generation. Annemarie notes Henry VIII gave powers to the secretary of state but didn't consider accountability provisions. She raises the challenge of accounting standards for intangible assets and proposes an idea of giving NFTs (digital assets) to children at birth (cf. Bored Ape Yacht Club). Annemarie is more of a nonfiction reader but she commissioned a work of science fiction and we speak about imagining different types of future and how to inspire people. We play overrated/underrated on: Big Tech regulation GPDR (data regulation) GDP Carbon tax Digital Health Innovation agencies Calories on menus Annemarie ends our conversation on giving out her life advice. Transcript and video are available here.
Privacy is one of the fundamental issues in tech policy. And yet, in the United States progress on this issue has been elusive at the federal level, even as Europe has forged ahead with its General Data Protection Regulation or (GDPR) and now the Digital Markets Act, which will reinforce the privacy protections afforded EU citizens under GPDR with new provisions. And yet there are bills before Congress that could change things in the U.S.- such as the Banning Surveillance Advertising Act, which was introduced earlier this year by Democrats. At the time, Senator Corey Booker, a Democrat from New Jersey, said that “The hoarding of people's personal data not only abuses privacy, but also drives the spread of misinformation, domestic extremism, racial division, and violence.” To talk more about the history of how we ended up with an internet bought and paid for by surveillance advertising and what might drive reform, I spoke to two experts in the field, Dr. Nathalie Maréchal & Dr. Matthew Crain.
Ria talks with Steven Roberts about his recently published book ‘Data Protection for Marketers: A Practical Guide', and how data protection is constantly changing. He also speaks about GPDR and the difficulties that can be faced by marketers and market teams when implementing GDPR principles. Steve elaborates on his work and how keeping up to date with data protection regulations will create transparency within and out of the work environment. Steven Roberts is head of marketing at Griffith College. He is a certified data protection officer and vice-chair of the ACOI's data protection and information security working group. His new book Data Protection for Marketers: A Practical Guide, published by Orpen Press, is available now at all good bookstores.
Ria talks with Steven Roberts about his recently published book ‘Data Protection for Marketers: A Practical Guide', and how data protection is constantly changing. He also speaks about GPDR and the difficulties that can be faced by marketers and market teams when implementing GDPR principles. Steve elaborates on his work and how keeping up to date with data protection regulations will create transparency within and out of the work environment. Steven Roberts is head of marketing at Griffith College. He is a certified data protection officer and vice-chair of the ACOI's data protection and information security working group. His new book Data Protection for Marketers: A Practical Guide, published by Orpen Press, is available now at all good bookstores.
Accomplishments and learning to cook (3:30)Chicago, Illinois - Gary, Indiana - parents valued education (4:50)Mother’s reading of a book led to initial interest in data privacy issues (5:30)Personal interest and “hobby” is now a career (6:00)The Nazi’s practices gave rise to the undergirding principles of the GDPR - General Data Protection Regulation (7:00)GPDR – EU’s first law that could impose large monetary fines on corporations (7:30)Privacy as a fundamental right – EU and the US (7:55)More details about GPDR’s connection to events of World War II (9:00)High school or college coursework and connections with current events (10:10)Drama courses and the significant impact on life and career (11:40)“A right to be forgotten” (13:10)The GDPR covers individuals when they are in the EU (13:25)An individual’s GDPR rights travel with their data (13:50)What should students learn about data privacy? (14:50)At what age should students learn about data privacy? (16:10)Any tips for parents? (16:20)The need for educators to be aware of data privacy issues (17:55)Avoid the co-mingling of your personal and professional work online (18:45)Use multiple browsers, avoid clicking on links, keep software up to date, reboot your computer regularly (19:20)Passwords, password managers (20:30)FIDO – accessing information without passwords (22:05)Differentiating awareness, information, and detail based on client knowledge and need (24:10)Collect only the data you need (24:45)A teacher who could demystify for their students (26:10)Attention commands attention (26:25)Debbie’s journey to become the Data Diva (27:25)Speaking in the Big Mac room (28:20)The law follows the technology (29:45)Apple’s iOS14 – impact on advertising (30:30)Apps reading your clipboard, including passwords (31:10)Debbie’s mentors and colleagues - Dawid Jacobs, Pia Tesdorf, Emma Lindley (33:00)Fake identities, digital twin, bias in algorithms (33:40)How educational organizations be prepared for the next digital change (35:40)Temperature data, archived information, schools and businesses, transparency (36:00)Facial recognition, bias, false positives, mistaken identity (37:00)Computers only do what the programmers tell the computer to do, industry standards (38:40)People, not statistics – the ripple effects of error rates (39:40)Favorite teacher -high school drama (40:10)Communicate, convey information, and learn how to move through the world (40:30) Debbie Reynolds Consulting Debbie Reynolds LinkedInThe Right to Privacy, by Ellen Alderman and Caroline KennedyEmma Lindley LinkedInPia Tesdorf LinkedInDawid Jacobs LinkedinMusic for Lead. Learn. Change. is Sweet Adrenaline by Delicate BeatsPodcast cover art for Lead. Learn. Change. is a view from Brunnkogel (mountaintop) over the mountains of the Salzkammergut in Austria, courtesy of photographer Simon Berger, published on www.unsplash.com.Professional Association of Georgia EducatorsDavid’s LinkedIn page
Buenas noches, aquí dejo mi podcast hoy hablando de los problemas de privacidad que tiene respecto a la aplicación de GPDR en Europa--- Send in a voice message: https://anchor.fm/infogonzalez/message
Il Data Monetization e il progetto Ducopod rappresentano l'obiettivo più delicato e ambizioso inerente il valore dei dati. In cosa consiste? Il progetto europeo Ducopod vuole rispondere alla domanda: la monetizzazione dei dati è tabù o realtà? Intende dare valore ai dati personali scambiandoli per l'erogazione di beni o servizi. L'obiettivo dei ricercatori di questo progetto europeo è analizzare l'istituto del Diritto alla portabilità dei dati (art. 20 del GDPR). Il Data Monetization tocca una delle problematiche più delicate in termini di protezione dei dati personali. La questione è, senza dubbio, prematura e non è facile dare risposte univoche. Prima di rispondere, tanto le istituzioni quanto gli interessati devono acquisire una progressiva consapevolezza sulla monetizzazione dei dati. Le norme vigenti consentono di monetizzare dati personali senza, però, disciplinare con chiarezza questa materia. Data Monetization e progetto Ducopod: cosa dice l'art. 20 del GDPR Il caso/studio del progetto Ducopod è finalizzato a individuare rischi ed opportunità sulla monetizzazione dei dati personali. Prima di cercare risposte, è necessario porsi le giuste domande riguardo al Data Monetization per orientare al meglio la questione. L'art. 20 del GDPR che affronta il Diritto alla portabilità dei dati rappresenta per molti il ‘nocciolo' della questione per delineare una prossima economia della monetizzazione dei dati. Il comma 1 di questo articolo stabilisce che l'interessato ha il diritto di ricevere i dati personali che lo riguardano forniti a un titolare del trattamento. Specifica anche che può trasmettere questi dati a un secondo titolare del trattamento senza che il primo lo impedisca. C'è di più: l'interessato, se possibile, può richiedere e ottenere la trasmissione diretta dei dati da un titolare del trattamento all'altro (comma 2). Tale trasmissione diretta è fattibile se il trattamento si verifica tramite mezzi automatizzati e solo se si basa, ovviamente, sul consenso o su un contratto (art. 6). In altre parole, il GDPR permette a un titolare del trattamento, su richiesta dell'interessato, di trasmettere con mezzi automatizzati dati personali a un altro titolare. Monetizzazione dei dati in una Smart City Meglio di altri scenari, una Smart City (con i suoi confini fisici e digitali) ci fa riflettere sulla questione del Data Monetization. Il destinatario di dati personali (art. 13 e 14 del GDPR) può essere l'autorità pubblica, una persona fisica o giuridica o un altro organismo tra cui un titolare o responsabile del trattamento che riceve dati da altri titolari su richiesta o consenso dell'interessato (diritto alla portabilità). In base all'art. 4 del GPDR, il consenso dell'interessato è qualunque manifestazione di volontà libera. Facciamo un esempio. Una persona prenota online un biglietto della metro dando il suo consenso alla società di trasporti di trattare i propri dati personali. La società di trasporti gli cede il biglietto gratis a patto che possa trasmettere i suoi dati di geolocalizzazione ad altri titolari del trattamento. L'interessato accetta. Durante il tragitto riceve notifiche pubblicitarie tra cui quella di un bar (nella zona dove l'utente deve recarsi) che gli offre uno sconto sulla colazione. Accetta lo sconto e fa colazione in quel bar. Ricevendo il biglietto gratis e lo sconto al bar, l'interessato esprime il suo consenso liberamente oppure è condizionato da queste offerte in cambio dei suoi dati personali? Il Considerando 43 fa una precisazione: il consenso liberamente espresso deve essere separato in base ai diversi trattamenti di dati personali. Nel caso preso ad esempio, l'utente ha espresso due consensi separati (alla società di trasporti ed al bar). Ovviamente, i soggetti terzi destinatari dovranno trattare i dati personali in modo adeguato, pertinente, nei limiti delle finalità per cui vengono trattati (in questo caso, i dati di geolocalizzazi...
Kako napraviti blog koji će svi čitati? Našeg Ivana je nedavno iznenadio status na LinkedInu Nedeljka Lužije koji je odlučio pokrenuti svoj blog - u 2020. Isplati li se blogati ili su svi na Instagramu i YouTubeu s razlogom? Ivan i Mia će podijeliti praktične savjete o tome kako početi pisati svoj blog, neovisno o tome koju platformu izaberete - i zašto se isplati blogati na osobnom ili profesionalnom blogu. Uostalom, Netokracija je prije nego što je bila magazin, bila blog, a Ivana su zvali 'bloger bez bloga'! ► Primjeri uspješnih blogova u Hrvatskoj ► Gdje pisati: WordPress, Medium... ► Koliko često pisati ► Izaberite temu! ► Newsletteri, GPDR i kolačići i optimizacija za tražilice ► Di su pare? ► Zašto uopće pisati? ► Isplati li se blogati u 2020. __________ PRIMAJTE NETOKRACIJA NEWSLETTER Besplatno u vašem inboxu ► https://netokracija.com/newsletter DOJAVITE VIJEST Imate prijedlog ili želite dojaviti vijest ► info@netokracija.com PRATITE NETOKRACIJU NA DRUŠTVENIM MREŽAMA Pratite nas na Twitteru ► http://twitter.com/netokracija Pratite nas na Instagramu ► http://instagram.com/netokracija Lajkajte nas na Facebooku ► http://www.fb.com/netokracija PRATITE SVOJE NETOKRATE Ivan Brezak Brkan (IBB) https://www.instagram.com/ivanbrezakbrkan https://linkedin.com/in/ivanbrezakbrkan Mia Biberović http://www.twitter.com/cyberkoza https://www.instagram.com/cyberkoza https://www.linkedin.com/in/miabiberovic/
Yeni Medya 451'in dördüncü bölümünde Can Öz ve Ümit Alan, “büyük veri” konusunu ele alıyorlar. Açık veri, WikiLeaks ve Panama belgeleri gibi büyük veri sızıntıları ve veri gazeteciliğiyle ilgili değinilerin ardından GPDR'ın (Avrupa Birliği Genel Veri Koruma Yönetmeliği) Türkiye'deki kullanımından söz ediyoruz. Veri sahibi olarak haklarımız konusunda ne kadar bilgiliyiz? Öldükten sonra dijital mirasımıza ne olacak? Bölümde sözü geçen “unutulma hakkı” konusunda, Ümit Alan'ın Birgün gazetesinde yayımlanan makalesi: https://www.birgun.net/haber/unutulma-hakki-meselesinde-unutulmamasi-gerekenler-308859
Yeni Medya 451’in dördüncü bölümünde Can Öz ve Ümit Alan, “büyük veri” konusunu ele alıyorlar. Açık veri, WikiLeaks ve Panama belgeleri gibi büyük veri sızıntıları ve veri gazeteciliğiyle ilgili değinilerin ardından GPDR’ın (Avrupa Birliği Genel Veri Koruma Yönetmeliği) Türkiye’deki kullanımından söz ediyoruz. Veri sahibi olarak haklarımız konusunda ne kadar bilgiliyiz? Öldükten sonra dijital mirasımıza ne olacak? Bölümde sözü geçen “unutulma hakkı” konusunda, Ümit Alan’ın Birgün gazetesinde yayımlanan makalesi: https://www.birgun.net/haber/unutulma-hakki-meselesinde-unutulmamasi-gerekenler-308859
Yeni Medya 451’in dördüncü bölümünde Can Öz ve Ümit Alan, “büyük veri” konusunu ele alıyorlar. Açık veri, WikiLeaks ve Panama belgeleri gibi büyük veri sızıntıları ve veri gazeteciliğiyle ilgili değinilerin ardından GPDR’ın (Avrupa Birliği Genel Veri Koruma Yönetmeliği) Türkiye’deki kullanımından söz ediyoruz. Veri sahibi olarak haklarımız konusunda ne kadar bilgiliyiz? Öldükten sonra dijital mirasımıza ne olacak? Bölümde sözü geçen “unutulma hakkı” konusunda, Ümit Alan’ın Birgün gazetesinde yayımlanan makalesi: https://www.birgun.net/haber/unutulma-hakki-meselesinde-unutulmamasi-gerekenler-308859
Contact-tracing apps on mobile phones have been a key element of plans to get societies back to "normal" in the face of Covid-19. The promise of automatically identifying who may be at risk of contracting Covid-19 is attractive, but effective use of such apps faces a host of barriers. Privacy risks have been at the forefront, since any centralised solution that automatically reports contacts to health authorities would also be a surveillance tool. Privacy regulators have called foul under GPDR, Apple and Google have refused to equip their operating systems to deliver such functions, and the public seems unlikely to accept such surveillance even if it were on offer. And there are serious technical and behavioural questions about whether contact-tracing apps would work even if they were widely adopted. We discuss the opportunity, challenges and alternatives. Speaker: Maury Shenk's experience focuses at the intersection of technology, law and education. He is co-founder and CEO of edtech start-up LearnerShape, director of global testing and certification company PeopleCert, and founder and managing director of Lily Innovation, through which he handles a portfolio of other investment and advisory activities. Maury is a dual-qualified US/UK lawyer and former managing partner of the London office of global law firm Steptoe & Johnson, where he remains an advisor. He has a deep practical understanding of technology, especially artificial intelligence, IT, telecommunications and information security. Maury is a graduate of Harvard College and Stanford Law School. He is a lover of languages – a native speaker of English (the American version), proficient in French and Russian, comfortable in Mandarin Chinese and Spanish, and dilettante in German, Italian, Norwegian and Greek. He is also a guitar player and an avid competitive and recreational sailor.
Com a entrada em vigor do GDPR na União Europeia, o tema da privacidade e proteção de dados ganhou uma importância muito grande no mundo inteiro.Para continuar a negociar com o maior bloco comercial do mundo, diversos países criaram as suas próprias leis baseadas no GPDR, como o Japão, Coréia do Sul e também o Brasil, com a Lei Geral de Proteção de Dados (LGPD).Para se adequar as leis, as empresas deverão contratar profissionais especializados no tema de privacidade e proteção de dados.Um desses profissionais será o DPO (Data Protection Officer) ou Encarregado de Proteção de Dados na LGPD.Uma certificação reconhecida internacionalmente emitida por um órgão confiável e com décadas de experiência certamente será um diferencial desse profissional em uma disputa por uma vaga.A certificação do EXIN Data Protection Officer fornece o conhecimento e as competências corretas para aqueles que desejam se tornar ou já são um DPO (Encarregado) ou mesmo um profissional de privacidade e proteção de dados.Mas você sabe quais são os requisitos para obter o título EXIN Data Protection Officer?Esse é o tema do novo webinar Clavis “Como Obter a Certificação EXIN DPO?”, ministrado por Luiz Felipe Ferreira, instrutor oficial EXIN, professor dos cursos de privacidade e proteção de dados na Academia Clavis e apresentador do SegInfocast
Dr Phoebe V Moore's research looks at the impact of technology on work from a critical perspective. Currently, Moore is leading a large European Parliament project on workplace surveillance, data protection and privacy, where she looks at workplace monitoring and tracking practices in the context of the GPDR. Moore is writing her next book, called The Smart Worker: Symptoms and Structure of Artificial Intelligence, where she argues that the development of artificial intelligence augmented tools and applications is occurring via workers' affective labour. She has edited a Special Issue called Machines & Measure, will soon be published in Capital & Class and her last book, The Quantified Self in Precarity, Work, Technology and What Counts looks at wearable tracking and algorithmic decision- making as a set of management techniques. Moore regularly features on prominent news channels including the BBC's recent programme entitled ‘Is your Boss Watching You? (https://www.bbc.co.uk/programmes/w3csy9v4) Website: https://phoebevmoore.wordpress.com/about/
A járvány korai szakaszában ún. disease detective-ek, azaz kórnyomozók igyekeznek feltérképezni a fertőzés térképét, de vajon kiválthatja-e a munkájukat az AI-alapú contact tracing? Érdi-Krausz Gábor szakértőnkkel körbejártuk, hogy milyen megoldások versengenek egymással a világban, és hogy mekkora para feláldozni a GPDR-t a vírusvédelem oltárán. Music by audionautix.com
In today's podcast we cover four crucial cyber and technology topics, including: 1. UK's NHS rejects COVID apps made my Google and Apple 2. London-based architecture firms suffers databreach; ransomware 3. Azeri news site disrupted, possibly by Government 4. UK University fails to notify possible victims of data exposure I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com
Data protection is unlikely to be foremost in people’s minds when considering the impact of Brexit, whether it be soft or hard, deal or no deal. The UK Government has, however, recently issued papers about various topics in a ‘no deal’ situation and one of these entitled: Data protection if there’s no Brexit deal. In this podcast we speak with Harry Boje, a Data Privacy expert. Speaker Profile: Harry Boje is a Certified Data Protection Officer and GDPR certified data protection specialist, with an exemplary career spanning across the public and private sector for NHS hospitals, leasing companies, digital media specialists, global pharmaceuticals, charities, universities and multi-billion global manufacturing businesses. He has experience in global organisation in world as Group Data Protection Officer & present a Chief Privacy officer for large Non For-Profit organisation. Prior to these role Harry has work on GDPR project across different sector for the past 3 years ranging from GDPR Business Analyst, GDPR SME and GDPR Consultant His skills are in business analysis, IT inclusive of Prince2, ITIL and Agile. Most recently has led up to 40 DPOs, data Champions in a global data privacy programme, and supported GPDR process improvement and policy creation in multiple businesses to futureproof against the ever-changing landscape of regulations. Offers additional expertise having managed the life cycle of IT projects to support service transition, system implementations and capability. I have a master’s degree in computer and Network Security, ISO 27001 Lead Implementer, ITIL. In last 4years my passion has been around privacy and data protection during this time I have helped organisation implement GDPR
Temat polityki prywatności, przetwarzania danych osobowych, i związanymi z tym obowiązkami legalnym spędził już nie jednemu przedsiębiorcy sen z powiek.. RODO to taki nasz szkielet w szafie, nasza zmora i utrapienie. Czy musi tak być? Niekoniecznie, jeśli zabierzesz się do RODO, jak do procesu, krok po kroku, i do tego pod okiem eksperta w tej dziedzinie.Tym razem rozmawiam z Kingą Konopelko, radcą prawnym, która mówi PROSTO o prawie w biznesie.Linki wymienione w tym odcinku:- pobierz darmowy e-book Kingi "Prawo i Strategia Biznesu Online" https://zapis.kingakonopelko.pl/ebook-2/- aplikacja do zadań Memorigi: https://tinbits.io/- apllikacja 1Password: https://1password.com/- darmowy SSL Let's Encrypt: https://letsencrypt.org/ Tutaj możesz obejrzeć ten odcinek na wideo: https://youtu.be/M34gkkA562s
Se cumplen 30 años desde que la sonda espacial Voyager 1 se dio la vuelta para sacar una foto a nuestro mundo, una pequeña mota de polvo, un punto azul pálido en medio de un inmenso universo. En este episodio o contaremos todo sobre aquella foto, y muchas más novedades en ciencia y tecnología, en un episodio con mucho espacio. ¡Esperamos que os guste! Noticias El Mobile World Congress ha sido cancelado: la GSMA no celebrará el mayor evento de telefonía del mundo por el coronavirus – https://www.xataka.com/eventos/mobile-world-congress-ha-sido-cancelado-gsma-no-celebrara-mayor-evento-telefonia-mundo-coronavirusTres décadas de ‘un punto azul pálido' – https://danielmarin.naukas.com/2020/02/14/tres-decadas-de-un-punto-azul-palido/Al filo del desastre: la primera misión de la nave Starliner de Boeing – https://danielmarin.naukas.com/2020/02/09/al-filo-del-desastre-la-primera-mision-de-la-nave-starliner-de-boeing/Las cuatro sondas finalistas para la próxima misión Discovery de la NASA – https://danielmarin.naukas.com/2020/02/14/las-cuatro-finalistas-para-la-proxima-mision-discovery-de-la-nasa/Essential anuncia su cierre, tres años después de presentar su primer smartphone – https://www.xataka.com/moviles/essential-anuncia-su-cierre-tres-anos-despues-presentar-su-primer-smartphoneEl Brexit compromete la privacidad de los británicos: Google cambiará el restrictivo GPDR europeo por la débil ley de los EE.UU – https://www.xataka.com/privacidad/brexit-compromete-privacidad-britanicos-google-cambiara-restrictivo-rgpd-europeo-debil-ley-ee-uu Música del episodio: Avercage – Enflammer – https://www.jamendo.com/track/1465147/enflammerLouis Le Mercier – Hopes (2011) – https://www.jamendo.com/track/746916/hopesMessage From Sylvia – Heart of War – https://www.jamendo.com/track/1394654/heart-of-war Podéis encontrarnos en Twitter y en Facebook!
In Part II of this two-part podcast, James Norman, Dell’s CIO for Healthcare in the EMEA region, discusses GPDR, other HIT data regulations, Security, Cyber-threats, and Dell’s products and services.
We sat down with Jamie Gutfreund, Global CMO of Wunderman Thompson, to talk about the future of marketing as she sees it. Jamie shared some key insights with case studies as diverse as Fortnite and Chance the Rapper, about how tomorrow's best marketing initiatives will be integrated and unsiloed, an elegant partnership between data and creative. They will seek to change and adapt to fit customers' changing needs, pursuing "wantedness" and community rather than the myth of the customer with undying loyalty.
We had a unique opportunity in talking with data privacy attorney Sheila FitzPatrick. She lives and breathes data security and is recognized expert on EU and other international data protection laws. FitzPatrick has direct experience in representing companies in front of EU data protection authorities (DPAs). She also sits on various governmental data privacy advisory boards. During this first part of the interview with her, we focused on the new General Data Protection Regulation (GDPR), which she says is the biggest overhaul in EU security and privacy rules in twenty years. One important point FitzPatrick makes is that the GDPR is not only more restrictive than the existing Data Protection Directive—breach notification, impact assessment rules—but also has far broader coverage. Cloud computing companies no matter where they are located will be under the GDPR if they are asked to process personal data of EU citizens by their corporate customers. The same goes for companies (or controllers in GDPR-speak) outside the EU who directly collect personal data – think of any US-based e-commerce or social networking company on the web. Keep all this in mind as you listen to our in-depth discussion with this data privacy and security law professional. Transcript Cindy Ng Sheila FitzPatrick has over 20 years of experience running her own firm as a data protection attorney. She also serves as outside counsel for Netapp as their chief privacy officer, where she provides expertise in global data protection compliance, cyber security regulations, and legal issues associated with cloud computing and big data. In this series, Sheila will be sharing her expertise on GDPR, PCI compliance, and the data security landscape. Andy Green Yeah, Sheila. I'm very impressed by your bio and the fact that you've actually dealt with some of these PPA's and EU data protection authorities that we've been writing about. I know there's been, so the GPDR will go into effect in 2018, and I'm just wondering what sort of the biggest change for companies, I guess they're calling them data controllers, in dealing with DPA's under the law. Is there something that comes to mind first? Sheila FitzPatrick And thank you for the compliment by the way. I live and breathe data privacy. This is the stuff I love. GPR ...I mean is certainly the biggest overhaul in 20 years, when it comes to the implication of new data privacy regulations. Much more restrictive than what we've seen in the past. And most companies are struggling because they thought what was previously in place was strict. There's a couple things that stick out when it comes GDPR, is when you look at the roles of the data controller verses the data processor, in the past many of the data processors, especially when you talk about third party outsourcing companies and any particular cloud providers, have pushed sole liability for data compliance down to their customers. Basically, saying you decide what you're going to put in our environment, you have responsibility for the privacy and security aspects. We basically accept minimal responsibility. Usually, it's around physical security. The GDPR now is going to put very comprehensive and very well-defined regulations and obligations in place for data processors as well. Saying that they can no longer flow responsibility for privacy compliance down to their customers. And if they're going to be... even if they... often times, cloud providers will say, "We will comply with the laws in countries where we have our processing centers." And that's not sufficient under the new laws. Because if they have a data processing center say in in UK, but they're processing the data of a German citizen or a Canadian citizen or someone from Asia Pacific, Australia, New Zealand, they're now going to have to comply with the laws in those countries as well. They can't just push it down to their customers. The other part of GDPR that is quite different and it's one of the first times it's really going to be put into place is that it doesn't just apply to companies that have operations within the EU. It is basically any company regardless of where they're located and regardless of whether or not they have a presence in the EU, if they have access to the personal data of any EU citizen they will have to comply with the regulations under the GDPR. And that's a significant change. And then the third one being the sanction. And the sanction can be 20,000,000 euro or 4% of your global annual revenue, whichever is higher. That's a substantial change as well. Andy Green Right, So that's some big, big changes. So you're referring to I think, what they call 'territorial scope'? They don't have to necessarily have an office or an establishment in the EU as long as they are collecting data? I mean we're really referring to social media and to the web commerce, or e-commerce. Sheila FitzPatrick Absolutely, but it's going to apply to any company. So even if for instance you say, "Well, we don't have any, we're just a US domestic company", but if you have employees in your environment that hold EU citizenship, you will have to protect their data in accordance with GDPR. You can't say, well they're working the US, therefore US law applies. That's not going to be the case if they know that the individual holds citizenship in the EU. Andy Green We're talking about employees, or...? Sheila FitzPatrick Could be employees, absolutely. Employees... Andy Green Anybody? Sheila FitzPatrick Anybody. Andy Green Isn't that interesting? I mean one question about this expanded territorial scope, is how are they going to enforce this against US companies? Or not just US, but any company that is doing business but doesn't necessarily have an office or an establishment? Sheila FitzPatrick Well it can be... see what happens under GDPR is any individual can file a complaint with the ports in basically any jurisdiction. They can file it at the EU level. They can file with it within the countries where they hold their citizenship. They can file it now with US courts, although the US courts... and part of that is tied to the new privacy shield, which is a joke. I mean, I think that will be invalidated fairly quickly. With the whole Redress Act, it does allow EU citizens to file complaints with the US courts to protect their personal data in accordance with EU laws. Andy Green So, just to follow through, if I came from the UK into the US and was doing transactions, credit card transactions, my data would be protected under EU law? Sheila FitzPatrick Well, if the company knows you're an EU citizen. They're not going to necessarily know. So, in some cases if they don't know, they're not going to held accountable. But if they absolutely do know then they will have to protect that data in accordance with UK or EU law. Well, not the UK... if Brexit goes through, the EU law won't matter. The UK data protection act will take precedence. Andy Green Wow. You know it's just really fascinating how the data protection and privacy now is just so important. Right, with the new GPDR? For everybody, not just the EU companies. Sheila FitzPatrick Yeah, and its always been important, it's just the US has a totally different attitude. I mean the US has the least restrictive privacy laws in the world. So for individuals that have really never worked or lived outside of the US, the mindset is very much the US mindset, which is the business takes precedence. Where everywhere else in the world, the fundamental right to privacy takes precedence over everything. Andy Green We're getting a lot of questions from our customers the new Breach Notification rule... Sheila FitzPatrick Ask me. Andy Green ...in the GDPR. I was wondering if you could talk about... What are one the most important things you would do when you discover a breach? I mean if you could prioritize it in any way. How would you advise a customer about how to have a breach response program in a GDPR context? Sheila FitzPatrick Yeah. Well first and foremost you do need to have in place, before a breach even occurs, an incident response team that's not made up of just the IT. Because normally organizations have an IT focus. You need to have a response team that includes IT, your chief privacy officer. And if the person... normally a CPO would sit in legal. If he doesn't sit in legally, you want a legal representative in there as well. You need someone from PR, communications that can actually be the public-facing voice for the company. You need to have someone within Finance and Risk Management that sits on there. So the first thing to do is to make sure you have that group in place that goes into action immediately. Secondly, you need to determine what data has potentially been breached, even if it hasn't. Because under GDPR, it's not... previously it's been if there's definitely been a breach that can harm an individual. The definition is if it's likely to affect an individual. That's totally different than if the individual could be harmed. So you need to determine okay, what data has been breached, and does it impact an individual? So, as opposed to if company-related information was breached, there's a different process you go through. Individual employee or customer data has been breached, the individual, is it likely to affect them? So that's pretty much anything. That's a very broad definition. If someone gets a hold of their email address, yes, that could affect them. Someone could email them who is not authorized to email them. So, you have to launch into that investigation right away and then classify the data that has been any intrusion into the data, what that data is classified as. Is it personal data? Is it personal sensitive data? And then rank it based on is it likely to affect an individual? Is it likely to impact an individual? Is it likely to harm an individual? So there could be three levels. Based on that, what kind of notification? So if it's likely to affect or impact an individual, you would have to let them know. If it's likely to harm an individual, you absolutely have to let them know and the data protection authorities know. Andy Green And the DPA, right? So, if I'm a consumer, the threshold is... in other words, if the company's holding my data, I'm not an employee, the threshold is likely to harm or likely to affect? Sheila FitzPatrick Likely to affect. Andy Green Affect. Okay. That's a little more generous in terms of... Sheila FitzPatrick Right. Right. And that has changed, so it's put more accountability on a company, because you know that a lot of companies have probably had breaches and have never reported them. So, because they go oh well, there was no Social Security Number, National Identification number, or financial data. It was just their name and their address and their home phone number or their cell phone. And the definition previously has been well, it can't really harm them. We don't need to let them know. And then all of a sudden people's names show up on these mailing lists. And they're starting to get this unsolicited marketing. And they can't determine whether or not... how did they get that? Was it based on a breach or is it based on trolling the Internet and gathering information and a broker selling that information? That's the other thing. Brokers are going to be impacted by the new GDPR, because in order to sell their lists they have to have explicit consent of the individual to include their name on a list that they're going to sell to companies. Andy Green Alright. Okay. So, it's quite consumer friendly compared to what we have in the US. Sheila FitzPatrick Yes. Andy Green Is there sort of new rules about what they call sensitive data? And if you're going to process certain classes of sensitive data, you need approval from the... I think at some point you might need approval from the DPA? You know what I'm referring to? I think it's the... Sheila FitzPatrick Yes. Absolutely. I mean, that's always been in place in most of the member states. So, if you look at the member states that have the more restrictive data privacy laws like Germany, France, Italy, Spain, Netherlands, they've always had the requirement that you have to register the data with the data protection authorities. And in order to collect and transfer outside of the country of origination any sensitive data, it did require approval. The difference now is that any personal data that you collect on an individual, whether it's an employee, whether it's a customer, whether it's a supplier, you have to obtain unambiguous and freely given explicit consent. Now this is any kind of data, and that includes sensitive data. Now the one difference with the new law is that there are just a few categories which are truly defined as sensitive data. That's not what we think of sensitive data. We think of like birth date. Maybe gender. That information is certainly considered sensitive under... that's personal data under EU law and everywhere else in the world, so it has to be treated to a high degree of privacy. But the categories that are political/religious affiliation, medical history, criminal convictions, social issues and trade union membership: that's a subset. It's considered highly sensitive information in Europe. To collect and transfer that information is going to now require explicit approval not only from the individual but from the DPA. Separate from the registrations you have done. Andy Green So, I think what I'm referring to is what they call the Impact Assessment. Sheila FitzPatrick Privacy Impact Assessments have to be conducted now anytime... and we've always... Anytime I've worked with any company, I've implemented Privacy Impact Assessments. They're now required under the new GDPR for any collection of any personal data. Andy Green But sensitive data... I think they talked about a DNA data or bio-related data. Sheila FitzPatrick Oh no. So, what you're doing... What happened under GPDR, they have expanded the definition of personal data. And so that not the sensitive, that's expanding the definition of personal data to include biometric information, genetic information, and location data. That data was never included under the definition of personal data. Because the belief was, well you can't really tie that back to an individual. They have found out since the original laws put in place that yes you can indeed tie that back to an individual. So, that is now included into the definition. Andy Green In sort of catching up a little bit with that technology? Sheila FitzPatrick Yeah. Exactly. But part of what GPDR did was it went from being a law around processing of personal data to a law that really moves you into the digital age. So, it's anything about tracking or monitoring or tying different aspects or elements of data together to be able to identify a person. So, it's really entering into the digital age. So, it's trying to catch up with new technology. Andy Green I have one more question on the GDPR subject. There's some mention in the law about sort of outside bodies can certify...? Sheila FitzPatrick Well, they're talking about having private certifications and privacy codes. Right now, those are not in place. The highest standard you have right now for privacy law is what's call Binding Corporate Rules. And so companies that have their Binding Corporate rules in place, there's only less than a hundred companies worldwide that have those. And actually, I've written them for a number of companies, including Netapp has Binding Corporate rules in place. That is the gold standard. If you have BCRs, you are 90% compliant with GDPR. But the additional certifications that they're talking about aren't in place yet. Andy Green So, it may be possible to get a certification from some outside body and that would somehow help prove your... I mean, so if an incident happens and the DPA looks into it, having that compliance should help a little bit in terms of any kind of enforcement action? Sheila FitzPatrick yes, it certainly will once they come up with what those are. Unless you have Binding Corporate Rules. But right now... I mean if you're thinking something like a trustee. No. there is no trustee certification. Trustee is a US certification for privacy, but it's not a certification for GDPR. Andy Green Alright. Well, thank you so much. I mean these are questions that, I mean it's great to talk to an expert and get some more perspective on this.
Совместный с коллегой product manager Еленой Ямщиковой из компании ISPsystem Биллинговые страсти, GPDR, Онлайн кассы и отчетность, Я.Облако Then they buy you… два слова про IBM и RedHat Почему не нужно всегда получать согласие на обработку персональных данных в рамках GDPR // https://habr.com/company/ispsystem/blog/353724/ Благодарности патронам: Aleksandr Kiriushin, B7W, BigB, Dmitry Miroshnichenko, Eduard Matveev, Fedor Rusak, Grigori Pivovar, Konstantin Kovrizhnykh, Konstantin Petrov, Lagunovsky Ivan, Leo Kapanen, Mikhail Gaidamaka, Neikist, nikaburu, Pavel Drabushevich, Pavel Sitnikov, Sergey Kiselev, Sergey Vinyarsky, Sergii Zhuk, Vasiliy Galkin, Виталий Филинков, Евгений Власов, Никита Ложников, Сёмочкин Максим Поддержи подкаст http://bit.ly/TAOPpatron Подпишись в iTunes http://bit.ly/TAOPiTunes Подпишись без iTunes http://bit.ly/TAOPrss Скачай подкаст http://bit.ly/TAOP178mp3 Старые выпуски http://bit.ly/oldtaop
Les actualités du moment et le sujet du jour : la résilience numérique.
Two old friends, Jamil Ellis and Maurice James, decide to get a podcast together and change the world. It's been a little of time since we recorded but we get right back into action and talk about privacy or the lack thereof . We talk about the new European privacy laws (EU GPDR), and privacy in a world of big data, big data hacks. Remember you can reach us at howdowebeginpodcast@gmail.com or at www.magicnegrospeaks.com.
Este capítulo 50 sale más tarde de lo habitual, en la tarde del domingo en lugar de en la mañana, ¡pero es que hemos tenido mucho trabajo! Javier Soler habla del nuevo reglamento de protección de datos europeo, Antonio Rentero hablar de la huelga de jueces y fiscales, Emilcar afronta la detención de Eduardo Zaplana y José Miguel Morales nos habla de la sentencia del caso Gurtel. Cerrará el programa Manuel intentando ayudarnos a encajar en nuestra cabeza toda esta locura de semana.Podéis contactar con nosotros a través de Twitter en @trendingpod o por correo electrónico a trending@emilcar.fm.También esperamos vuestros comentarios en https://emilcar.fm/trending donde encontraréis los enlaces de este episodio.
GDPR kicks in on May 25th 2018 and will impact all of us in ways we could not imagine. With only 10 days left to the launch of GDPR laws it becomes inevitable to avoid its impact. In this show we interview CEO of Jungle Disk and Data Privacy expert Bret Piatt. Bret shares his passion about cyber security, technology and coding. In addition, he talks about how companies big or small should prepare for GPDR. What are the ramifications of the GDPR and the new data privacy laws going into effect on May 25th 2018. He provides detailed insight and action plan for companies to take action and avoid huge penalties. Here are some of the resources mentioned on this show: https://www.csoonline.com/article/3269578/compliance/what-small-business-owners-should-know-about-gdpr-and-why.html https://www.uscyberpatriot.org/ https://www.linkedin.com/in/bretpiatt http://www.cybertalkradio.com/
I veckans avsnitt snackar vi om GPDR-ångest, vi har provat det digitala låset Glue och så blir det lite om Izettles värdering. Mycket nöje! See acast.com/privacy for privacy and opt-out information.
Sara Jodka is an attorney for Columbus-based Dickinson Wright. Her practice covers boths data privacy as well as employee law. She's in a perfect position to help US companies in understanding how the EU General Data Protection Regulation (GDPR) handles HR data. In this first part of the interview, we learn from Sara that some US companies will be in for a surprise when they learn that all the GPDR security rules will apply to internal employee records. The GPDR's consent requirements, though, are especially tricky for employees. Transcript Welcome, Sara. Sara Jodka: Thank you for having me. IOS: I wanted to get into an article that you had posted on your law firm's blog. It points out an interesting subcategory of GDPR personal data which doesn't get a lot of attention, and that is employee HR records. You know, of course it's going to include ethnic, payroll, 401(k), and other information. So can you tell us, at a high level, how the GDPR treats employee data held by companies? Employee Data Covered By the GDPR SJ: Whenever we look at GDPR, there are 99 articles, and they're very broad. There's not a lot of detail on the GDPR regulations themselves. In fact, we only have one that actually carves employment data out, and that's Article 88 — there's one in and of itself. Whenever we're looking at it, none of the articles say that all of these people have these rights. All these individuals have rights! None of them say, "Well, these don't apply in an employment situation." So we don't have any exclusions! We're led to "Yes, they do apply." And so we've been waiting on, and we have been working with guidances that we're receiving, you know, from the ICO, with respect to …. consent obligation, notice obligation, portability requirements, and any employee context. Because it is going to be a different type of relationship than the consumer relationship! IOS: It's kind of interesting that people, I think, or businesses, probably are not aware of this ... except those who are in the HR business. So I think there's an interesting group of US companies that would find themselves under these GDPR rules that probably would not have initially thought they were in this category because they don't collect consumer data. I'm thinking of law firms, investment banking, engineering, professional companies. US Professional Service Companies Beware! SJ: I think that's a very good point! In fact, that's where a lot of my work is actually coming from. A lot of the GDPR compliance is coming from EU firms that specialize with EU privacy. But a lot of U.S. companies didn't realize that this is going to cover their employment aspects that they had with EU employees that are in the EU! They thought, "Well, because we don't actually have a physical location EU, it doesn't actually cover us." That's not actually at all true. The GDPR covers people that are working in the EU, people who reside in the EU, so to the extent that U.S. company has employees that are working in the EU it is going to cover that type of employee data. And there's no exception in the GDPR around it. So it's going to include those employees. IOS: So I hadn't even thought about that. So their records would be covered under the GDPR? SJ: Yeah, the one thing about the definition of a data subject under the GDPR is it doesn't identify that it has to be an EU resident or it has to be an EU citizen. It's just someone in the EU. When you're there, you have these certain rights that are guaranteed. And that will cover employees that are working for U.S. companies but they're working in the EU. IOS: Right. And I'm thinking perhaps of a U.S. citizens who come there for some assignment, and maybe working out of the office, they would be covered under these rules. SJ: And that's definitely a possibility, and that's one thing that we've been looking for. We've been looking for looking for guidance from the ICO to determine … the scope of what this is going to look not only in an employment situation, but we're dealing with an immigration situation, somebody on a work visa, and also in the context of schools as we are having, you know, different students coming over to the United States or going abroad. And what protection then the GDPR applies to those kind of in-transition relationships, those employees or students. With a lot of my clients, we are trying to err on the side of caution and so do things ahead of time, rather than beg forgiveness if the authorities come knocking at our door. GDPR's Legitimate Interest Exception is Tricky IOS: I agree that's probably a better policy, and that's something we recommend in dealing with any of these compliance standards. In that article, you mentioned that the processing of HR records has additional protections under the GDPR … An employee has to give explicit or consent freely and not as part of an employer-employee contract. [caption id="attachment_10803" align="alignnone" width="800"] GDPR's Article 6 says there are only six lawful ways to process data. If you don't obtain freely given consent, then it gets tricky.[/caption] Can you explain this? And then, what does an employer have to do to process employee data especially HR data? SJ: Well, when we're looking at the reasons that we're allowed to process data, we can do it by consent, and we can also do it if we have a lawful basis. A number of the lawful bases are going to apply in the employer context. One of those is if there is going to be an agreement. You know, in order to comply with the terms of a contract, like a collective bargaining agreement or like an employment agreement. So hire/fire payroll data would be covered under that, also if there is … a vital interest of an employee. There's speculation that that exception might actually be, or that legitimate basis might be used to obtain vital information regarding, like, emergency contact information of employees. And there's also one of the other lawful basis is if the employer has a greater, you know, interest in the data that doesn't outweigh the right of the data subject, the employee. The issue though is most ... when we talk about is consumer data, and we're looking a lot at consent and what actually consent looks like in terms of the express consent, you know, having them, you know, check the box or whatever. In an employee situation, the [UK’s] ICO has come out with guidance with respect to this. And they have expressly said in an employee-employer relationship, there is an inherent imbalance of bargaining power, meaning an employee can never really consent to giving up their information because they have no bargaining power. They either turn it over, or they're not employed. The employer is left to rely only on the other lawful basis to process data, excluding consent, so the contractor allowance and some of the others. But the issue I have with that is, I don't think that that's going to cover all the data that we actually collect on an employee, especially employees who are operating outside the scope of a collective bargaining agreement. In a context of, say, an at-will employee where there is that ... where that contract exception doesn't actually apply. I think there will be a lot of collection of data that doesn't actually fall under that. It may fall into the legitimate interest, if the employer has the forethought to actually do what's required, which is to actually document the process of weighing the employer's interest against the interest of the employee, and making sure that that is a documented process. [ Read the UK's ICO guidelines on the process of working out legitimate interest.] [caption id="attachment_10804" align="alignnone" width="800"] When employers claim a legitimate interest exception to getting employee consent, they have more work to do. [Source: UK ICO][/caption]But also what comes with that is the notice requirement, and the notice requirement is something that can be waived. So employers, if they are doing that, are going to have to — and this is basically going to cover every single employer — they're going to have to give their employees notice of the data that they are collecting on them, at a minimum. IOS: At a minimum. I think to summarize what you're saying is it's just so tricky or difficult to get what they call freely given consent, that most employers will rely on legitimate interest. Triggers for Data Protection Impact Assessments (DPIAs) IOS: In the second part of this interview, we joined Sara Jodka as she explains what triggers a data protection impact assessment, or DPIA when processing employee data. SJ: I think that's required when we're doing requirements for sensitive data, and we're talking about sensitive HR data. A DPIA has be performed when two of the following exist, and there's like nine things that have to be there in order for a DPIA to have to be done. But you bring up a great point because the information that an employer is going to have is going to necessarily trigger the DPIA. [See these Working Party 29 guidelines for the nine criteria that Sara refers to.] The DPIA isn't triggered by us doing the legitimate basis ... and having to document that process. It's actually triggered because we process sensitive data. You know, their trade union organization, affiliation, their religious data, their ethnicity. We have sensitive information, which is one of the nine things that can trigger, and all you need is two to require a DPIA. Another one that employers always get is they process data of a vulnerable data subject. A vulnerable data subject includes employees. IOS: Okay. Right. SJ: I can't imagine a situation where an employer wouldn’t have to do a DPIA. The DPIA is different than the legitimate interest outweighing [employee rights] documentation that has to be done. They're two different things. IOS: So, they will have to do the DPIAs? And what would that involve? SJ: Well, it's one thing that's required for high-risk data processing and that, as we just discussed, includes the data that employer has. Essentially what a DPIA is, it's a process that is designed to describe what processing the employer has, assess the necessity on proportionality to help manage the risk to the rights and the freedoms of the national persons resulting from the processing of personal data by assessing and determining the measures to address the data and the protections around it. It's a living document, so one thing to keep in mind about DPIA is they're never done. They are going to be your corporation's living document of the high-risk data you have and what's happening with it to help you create tools for accountability and to comply with the GDPR requirements including, you know, notice to data subject, their rights, and then enforcing those rights. It's basically a tracking document ... of the data, where the data's going, where the data lives, and what happens with the data and then what happens when somebody asks for their data, wants to erase their data, etc. GDPR Surprises for US Companies IOS: Obviously, these are very tricky things and you definitely need an attorney to help you with it. So, can you comment on any other surprises U.S. companies might be facing with GDPR? SJ: I think one of the most interesting points, whenever I was doing my research, to really drill down, from my knowledge level, is you're allowed to process data so long as it's compliant with a law. You know, there's a legal necessity to do it. And a lot of employers, U.S employers specifically, look at this and thought, "Great, that legal requirement takes the load off of me because I need, you know, payroll records to comply with the Fair Labor Standards Act and, you know, state wage laws. I need my immigration information to comply with the immigration control format." You know, they were like, "We have all these U.S. laws of why we have to retain .information and why we have to collect it." Those laws don't count, and I think that's a big shock when I say, well, those laws don't count. We can't rely on U.S. laws to process EU data! We can only rely on EU laws and that's one thing that's brought up and kind of coincides with Article 88, which I think is an interesting thing. If you look at Article 88 when they're talking about employee data, what Article 88 does is it actually allows member states to provide for more specific rules to ensure that the protections and the freedoms of their data are protected. These member states may be adding on more laws and more rights than the GDPR already complies! Another thing is, not only do we have to comply with an EU law, but we also are going to comply with member states, other specific laws that may be more narrow than the GDPR. Employers can't just look at the GDPR, they're going to also have to look at if they know where a specific person is. Whether it's Germany or Poland. They're going to have to look and see what aspects of the GDPR are there and then what additional, more specific laws that member state may have also put into effect. Interviewer: Right! SJ: So, I think that there are two big legal issues hanging out there that U.S. multinational companies... IOS: One thing that comes to my mind is that there are fines involved when not complying to this. And that includes, of course, doing these DPIAs. SJ: The fines are significant. I think that's the easiest way to put it is that the fines are, they're astronomical, I mean, they're not fines that we're used to seeing so there's two levels of fines depending on the violation. And they can be up to a company's 4% of their annual global turnover. Or 20 million Euros. If you'd look at it in U.S. dollar terms, you're looking at, like, $23 million at this point. For some companies that could be, that's a game changer, that's a company shut down. Some companies can withstand that, but some can't. And I think any time you're facing a $23 million penalty, the cost of compliance is probably going to weigh out the potential penalty. Especially because these aren't necessarily one-time penalties and there's nothing that's going to stop the Data Protection Authority from coming back on you and reviewing again and assessing another penalty if you aren't in compliance and you've already been fined once. I think the issue is going to be how far the reach is going to be for U.S. companies. I think for U.S. companies that have, you know, brick and mortar operations in a specific member state, I think enforcement is going to be a lot easier for the DPA. There's going be a greater disadvantage to, actually, enforcement for, you know, U.S. companies that only operate in U.S. soil. Now, if they have employees that are located in the EU, I think that enforcement is going to be a little bit easier, but if they don't and they're merely just, you know, attracting business via their website or whatever to EU, I think enforcement is gonna be a little bit more difficult, so it's going to be interesting to see how enforcement actually plays out. IOS: Yeah, I think you're referring to the territorial scope aspects of the GDPR. Which, yeah, I agree that's kind of interesting. SJ: I guess my parting advice is this isn't something that's easy, it's something that you do need to speak to an attorney. If you think that it may cover you at all, it's at least worth a conversation. And I've had a lot of those conversations that have lasted, you know, a half an hour, and we've been very easily able to determine that GDPR is not going to cover the U.S. entity. And we don't have to worry about it. And some we've been able to identify that the GDPR is going to touch very slightly and we're taking eight steps, you know, with the website and, you know, with, you know, on site hard copy documents to make sure that proper consent and notice is given in those documents. So, sometimes it's not going be the earth-shattering compliance overhaul of a corporation that you think the GDPR may entail, but it's worth a call with a GDPR attorney to at least find out so that you can at least sleep better at night because this is a significant regulation, it's a significant piece of law, and it is going to touch a lot of U.S. operations. IOS: Right. Well, I want to thank you for talking about this somewhat under-looked area of the GDPR. SJ: Thank you for having me.
This week on the podcast, we get ready for Insight with a couple of interviews with some of the folks that will be attending the conference from NetApp and answering questions at Insight Central. Join us as we chat with Justine Ma, Professional Services Product Manager, and David Mancusi, Global Architect about NetApp Insight, GDPR and the Data Fabric!
Sue Foster is a London-based partner at Mintz Levin. In the second part of the interview, she discusses the interesting loophole for ransomware breach reporting requirements that's currently in the GDPR However, there's another EU regulation going into effect in May of 2018, the NIS Directive, which would make ransomware reportable. And Foster talks about the interesting implications of IOT devices in terms of the GDPR. Is the data collected by your internet-connected refrigerator or coffee pot considered personal data under the GDPR? Foster says it is! Inside Out Security Sue Foster is a partner with Mintz Levin based out of the London office. She works with clients on European data protection compliance and on commercial matters in the fields of clean tech, high tech, mobile media, and life sciences. She's a graduate of Stanford Law School. SF is also, and we like this here at Varonis, a Certified Information Privacy Professional. I'm very excited to be talking to an attorney with a CIPP, and with direct experience on a compliance topic we cover on our blog — the General Data Protection Regulation, or GDPR. Welcome, Susan. Sue Foster Hi Andy. Thank you very much for inviting me to join you today. There's a lot going on in Europe around cybersecurity and data protection these days, so it's a fantastic set of topics. IOS Oh terrific. So what are some of the concerns you're hearing from your clients on GDPR? SF So one of the big concerns is getting to grips with the extra-territorial reach. I work with a number of companies that don't have any office or other kind of presence in Europe that would qualify them as being established in Europe. But they are offering goods or services to people in Europe. And for these companies, you know in the past they've had to go through quite a bit of analysis to understand the Data Protection Directive applies to them. Under the GDPR, it's a lot clearer and there are rules that are easier for people to understand and follow. So now when I speak to my U.S. clients, if they're a non-resident company that promotes goods or services in the EU, including free services like a free app, for example, they'll be subject to the GDPR. That's very clear. Also, if a non-resident company is monitoring the behavior of people who are located in the EU, including tracking and profiling people based on their internet or device usage, or making automated decisions about people based on their personal data, the company is subject to the GDPR. It's also really important for U.S. companies to understand that there's a new ePrivacy Regulation in draft form that would cover any provider, regardless of location, of any form of publicly available electronic communication services to EU users. Under this ePrivacy Regulation, the notion of what these communication services providers are is expanded from the current rules, and it includes things that are called over-the-top applications – so messaging apps and communications features, even when a communication feature is just something that is embedded in a website. If it's available to the public and enables communication, even in a very limited sort of forum, it's going to be covered. That's another area where U.S. companies are getting to grips with the fact that European rules will apply to them. So this new security regulation as well that may apply to companies located outside the EU. So all of these things are combining to suddenly force a lot of U.S. companies to get to grips with European law. IOS So just to clarify, let's say a small U.S. social media company that doesn't market specifically to EU countries, doesn't have a website in the language of some of the EU country, they would or would not fall under the GDPR? SF On the basis of their [overall] marketing activity they wouldn't. But we would need to understand if they're profiling or they're tracking EU users or through viral marketing that's been going on, right? And they are just tracking everybody. And they know that they're tracking people in the EU. Then they're going to be caught. But if they're not doing that, if not engaging in any kind of tracking, profiling, or monitoring activities, and they're not affirmatively marketing into the EU, then they're outside of the scope. Unless of course, they're offering some kind of service that falls under one of these other regulations that we were talking about. IOS What we're hearing from our customers is that the 72-hour breach rule for reporting is a concern. And our customers are confused and after looking at some of the fine print, we are as well!! So I'm wondering if you could explain the breach reporting in terms of thresholds, what needs to happen before a report is made to the DBA's and consumers? SF Sure absolutely. So first it's important to look at the specific definition of personal data breach. It means a breached security leading to the ‘accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data’. So it's fairly broad. The requirement to report these incidents has a number of caveats. So you have to report the breach to the Data Protection Authority as soon as possible, and where feasible, no later than 72 hours after becoming aware of the breach. Then there's a set of exceptions. And that is unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. So I can understand why U.S. companies would sort of look at this and say, ‘I don't really know what that means’. How do I know if a breach is likely to ‘result in a risk to the rights and freedoms of natural persons’? Because that's not defined anywhere in this regulation! It's important to understand that that little bit of text is EU-speak that really refers to the Charter of Fundamental Rights of the European Union, which is part of EU law. There is actually a document you can look at to tell you what these rights and freedoms are. But you can think of it basically in common sense terms. Are the person's privacy rights affected, are their rights and the integrity of their communications affected, or is their property affected? So you could, for example, say that there's a breach that isn't likely to reveal information that I would consider personally compromising in a privacy perspective, but it could lead to fraud, right? So that could affect my property rights. So that would be one of those issues. Basically, most of the time you're going to have to report the breach. When you're going through the process of working out whether you need to report the breach to the DPA, and you're considering whether or not the breach is likely to result in a risk to the rights and freedoms of natural persons, one of the things that you can look at is whether people are practically protected. Or whether there's a minimal risk because of steps you've already taken such as encrypting data or pseudonymizing data and you know that the key that would allow re-identification of the subjects hasn't been compromised. So these are some of the things that you can think about when determining whether or not you need to report to the Data Protection Authority. If you decide you have to report, you then need to think about ‘do you need to report the breach to the data subjects’, right? And the standard there is that is has to be a “high risk to the rights and freedoms” of natural persons’. So a high risk to someone's privacy rights or rights on their property and things of that sort. And again, you can look at the steps that you've taken to either prevent the data from — you know before it even was leaked — prevent it from being potentially vulnerable in a format where people could be damaged. Or you could think also whether you've taken steps after the breach that would prevent those kinds of risks from happening. Now, of course, the problem is the risk of getting it wrong, right? If you decide that you're not going to report after you go through this full analysis and the DPA disagrees with you, now you're running the risk of a fine to 2% of the group’s global turnover …or gross revenue around the world. And that I think it’s going to lead to a lot of companies being cautious in reporting when even they might have been able to take advantage of some of these exceptions but they won't feel comfortable with that. IOS I see. So just to bring it to more practical terms. We can assume that let's say credit card numbers or some other identification number, if that was breach or taken, would have to be reported both to the DPA and the consumer? SF Most likely. I mean if it's...yeah almost certainly. Particularly if the security code on the back of the card has been compromised, and absolutely you've got a pretty urgent situation. You also have a responsibility to basically provide a risk assessment to the individuals, and advise them on steps that they can take to protect themselves such as canceling their card immediately. IOS One hypothetical that I wanted to ask you about is the Yahoo breach, which technically happened a few years ago. I think it was over two years ago … Let's say something like that had happened after the GDPR where a company sort of had known that there was something happening that looked like a breach, but they didn't know the extent of it. If they had not reported it, and waited until after the 72-hour rule, what would have happened to let's say a multinational like Yahoo? SF Well, Yahoo would need to go through the same analysis, and it's hard to imagine that a breach on that scale and with the level of access that was provided to the Yahoo users accounts as a result of those breaches, and of course the fact that people know that it's very common for individuals to reuse passwords across different sites, and so you, you know, have the risks sort of follow on problems. It's hard to imagine they would be in a situation where they would be off the hook for reporting. Now the 72-hour rule is not hard and fast. But the idea is you report as soon as possible. So you can delay for a little while if it's necessary for say a law enforcement investigation, right? That's one possibility. Or if you're doing your own internal investigation and somehow that would be compromised or taking security measures would be compromised in some way by reporting it to the DPA. But that'll be pretty rare. Obviously going along for months and months with not reporting it would be beyond the pale. And I would say a company like Yahoo would potentially be facing a fine of 2% of its worldwide revenue! IOS So this is really serious business, especially for multinationals. This is also a breach reporting related question, and it has to do with ransomware. We're seeing a lot of ransomware attacks these days. In fact, when we visit customer sites and analyze their systems, we sometimes see these attacks happening in real time. Since a ransomware attack encrypts the file data but most of the time doesn't actually take the data or the personal data, would that breach have to be reported or not? SF This is a really interesting question! I think the by-the-book answer is, technically, if a ransomware attack doesn't lead to the accidental or unlawful destruction, loss, or alteration or unauthorized disclosure of or access to the personal data, it doesn't actually fall under the GDPR's definition of a personal data breach, right? So, if a company is subject to an attack that prevents it from accessing its data, but the intruder can not itself access, change or destroy the data, you could argue it's not a personal data breach, therefore not reportable. But it sure feels like one, doesn't it? IOS Yes, it does! SF Yeah. I suspect we're going to find that the new European Data Protection Board will issue guidance that somehow brings ransomware attacks into the fold of what's reportable. Don't know that for sure, but it seems likely to me that they'll find a way to do that. Now, there are two important caveats. Even though, technically, a ransomware attack may not be reportable, companies should remember that a ransomware attack could cause them to be in breach of other requirements of the GDPR, like the obligation to ensure data integrity and accessibility of the data. Because by definition, you know, the ransomware attack has made the data non-assessable and has totally corrupted its integrity. So, there could be a liability there under the GDPR. And also, the company that's suffering the ransomware attack should consider whether they're subject to the new Network and Information Security Directive, which is going to be implemented in national laws by May 9th of 2018. So again, May 2018 being a real critical time period. That directive requires service providers to notify the relevant authority when there's been a breach that has a substantial impact on the services, even if there was no GDPR personal data breach. And the Network and Information Security Directive applies to a wide range of companies, including those that provide "essential services”. Sort of the fundamentals that drive the modern economy: energy, transportation, financial services. But also, it applies to digital service providers, and that would include cloud computing service providers. You know, there could be quite a few companies that are being held up by ransomware attacks who are in the cloud space, and they'll need to think about their obligations to report even if there's maybe not a GDPR reporting requirement. IOS Right, interesting. Okay. As a security company, we've been preaching Privacy by Design principles, data minimization and retention limits, and in the GPDR it's now actually part of the law. The GDPR is not very specific about what has to be done to meet these Privacy by Design ideas, so do you have an idea what the regulators might say about PbD as they issue more detailed guidelines? SF They'll probably tell us more about the process but not give us a lot of insight as to specific requirements, and that's partly because the GDPR itself is very much a show-your-work regulation. You might remember back on old,old math tests, right? When you were told, ‘Look, you might not get the right answer, but show all of your work in that calculus problem and you might get some partial credit.’ And it's a little bit like that. The GDPR is a lot about process! So, the push for Privacy by Design is not to say that there are specific requirements other than paying attention to whatever the state of the art is at the time. So, really looking at the available privacy solutions at the time and thinking about what you can do. But a lot of it is about just making sure you've got internal processes for analyzing privacy risks and thinking about privacy solutions. And for that reason, I think we're just going to get guidance that stresses that, develops that idea. But any guidance that told people specifically what security technologies they needed to apply would probably be good for, you know, 12 or 18 months, and then something new would come along. Where we might see some help is, eventually, in terms of ISO standards. Maybe there'll be an opportunity in the future for something that comes along that's an international standard, that talks about the process that companies go through to design privacy into services and devices, etc. Maybe then we'll have a little more certainty about it. But for now, and I think for the foreseeable future, it's going to be about showing your work, making sure you've engaged, and that you've documented your engagement, so that if something does go wrong, at least you can show what you did. IOS That's very interesting, and a good thing to know. One last question, we've been following some of the security problems related to Internet of Things devices, which are gadgets on the consumer market that can include internet-connected coffee pots, cameras, children toys. We've learned from talking to testing experts that vendors are not really interested in PBD. It's ship first, maybe fix security bugs later. Any thoughts on how the GDPR will effect IOT vendors? SF It will definitely have an impact. The definition of personal data under the GDPR is very, very broad. So, effectively, anything that I am saying that a device picks up is my personal data, as well as data kind of about me, right? So, if you think about a device that knows my shopping habits that I can speak to and I can order things, everything that the device hears is effectively my personal data under the European rules. And Internet of Things vendors do seem to be lagging behind in Privacy by Design. I suspect we're going to see investigations and fines in this area early on, when the GDPR starts being enforced on May, 2018. Because the stories about the security risks of, say, children's toys have really caught the attention of the media and the public, and the regulators won't be far behind. And now, we have fines for breaches that range from 2% to 4% of a group's global turnover. It's an area that is ripe for enforcement activity, and I think it may be a surprise to quite a few companies in this space. It's also really important to go back to this important theme that there are other regulations, besides the GDPR itself, to keep track of in Europe. The new ePrivacy Regulation contains some provisions targeted at the internet of things, such as the requirement to get consent from consumers from machine-to-machine transfers of communications data, which is going to be very cumbersome. The [ePrivacy] Regulation says you have to do it, it doesn't really say how you're going to get consent, meaningful consent, that’s a very high standard in Europe, to these transfers when there's no real intelligent interface between the device and the person, the consumer who's using it. Because there are some things that have, maybe kind of a web dashboard. There's some kind of app that you use and you communicate with your device, you could have privacy settings. There's other stuff that's much more behind the scenes with Internet of Things, where the user is not having a high level of engagement. So, maybe a smart refrigerator that's reeling information about energy consumption to, you know, the grid. Even there, you know, there's potentially information where the user is going to have to give consent to the transfer. And it's hard to kind of imagine exactly what that interface is going to look like! I'll mention one thing about the ePrivacy Regulation. It's in draft form. It could change, and that's important to know. It's not likely to change all that much, and it's on a fast-track timeline because the commission would like to have it in place and ready to go May, 2018, the same time as the GDPR. IOS Sue Foster, I'd like to thank you again for your time. SF You're very welcome. Thank you very much for inviting me to join you today.
© 2020-2025 Ivy Podcast Discovery LLC
