TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe, 29 June 2018 Related reading: New for PSR: 'Strategic Privacy by Design'

rss_feed

""

PSR18_Web_300x250-COPY
GDPR-Ready_300x250-Ad

Greetings from Utrecht!

For those who follow me on Twitter, they may know that my account starts with the following tweet:

"Speaking about the #GDPR without explaining the ideas behind it, is like teaching how to drive without explaining the concept of travel."

Here in the Netherlands, the IAPP is all about training. We have several Official Training Partners, a number of IAPP faculty members, and lots and lots of training. Personally, I deliver about two or three CIPP/E trainings a month. And it never gets boring. For me as a trainer, the training provides great insight into how organizations behave when dealing with the EU General Data Protection Regulatoin. 

It always astounds me how much "fake news," confusion and misinterpretation there is about the GDPR among the trainees, especially around the concepts of controller and processor. To the frustration of those who do understand the concepts of controller and processor (often after proper training), many organizations, scared of being fined or having to report a data breach, are sending each other data processing agreements for every type of data sharing, regardless of whether that other party is a controller or not. 

Not surprisingly, module three of the CIPP/E training is often the hottest debated topic of the training. And my answer is always the same: “All processors are service providers, but only some service providers are processors.” Ergo, if a party does not provide a service to you, it cannot even be your processor. Yes, we see governments agencies that send data processor agreements to other government agencies with whom they share data in the execution of each other’s public tasks. When I ask why, their answer is typically that they don’t trust that other agency’s security measures. 

We also see companies that are afraid of ordering flowers with the florist for an employee’s work anniversary or birthday without a data processor agreement. In some companies, the GDPR literally creates panic: To sign or not to sign an unnecessary data processor agreement, that’s the question. Do I enter into a bunch of irrelevant obligations, or do I risk losing a customer? Often, I find myself training my clients’ customers about the GDPR: I call it “high-pressure training,” since contract negotiations are not the proper place and time to do extensive GDPR training. I try to explain the concepts of controller and processors in short, understandable bits and help move the negotiations along.

In the meantime, several GDPR scammers have surfaced. One example is that of a company pretending to work for the Dutch data protection authority that contacts organizations about the GDPR compliance on their website: “Pay 1000 euro transactions, and we will not give you a fine.” Another scammer, claiming to run a GDPR certification scheme, contacts Belgian companies with the message that they have seven days to comply with the GDPR and they can help them with their certification scheme for 195 euro, or they will report that company to the authorities.

Welcome to the new world of the GDPR. These examples show how important privacy training is. In many cases, training will prove to have significant business value. If both parties share the same understanding of the concepts, principles and requirements of the GDPR, doing business with each other suddenly becomes a lot easier. It helps organizations reach their business destinations instead of driving around in circles. And it helps to avoid scam attacks in the process.

1 Comment

If you want to comment on this post, you need to login.

  • comment Lasse Toivonen • Jun 30, 2018
    Another rather disturbing commonality in DPA negotiations are service providers who clearly are processors but claim to be controllers - usually without any real legal arguments. I guess they have processed the data for years (also) for their own purposes and now because of GDPR and new contract negotiations, they have noticed that maybe they after all are not entitled to do so and try their best to come up with any explanations why they would be controllers. It is annoying to negotiate about the same self-evident topic time after time.