Data-processing agreements from 30,000 feet

(May 22, 2018) “Processing by a processor shall be governed by a contract or other legal act…” (Article 28, GDPR) Commonly referred to as a “data processing agreement” this type of contract governs the relationship between a controller, a processor, and the data being processed. These contracts can come in many forms, but as the May 25 effective date of the EU General Data Protection Regulation approaches, more and more organizations will be updating their vendor contracts to include a data processing ag... Read More

GDPR implementation bills: the election problem

(May 22, 2018) It is by now no secret that a lot of EU countries won't have implementing acts ready in time for the introduction of the General Data Protection Regulation this week. While this is unlikely to be the end of the world for most companies — the GDPR doesn't need to be transposed into member states' national laws to apply — it does create a level of confusion where the new regulation clashes with still-active national implementations of the old EU Data Protection Directive.  The European Commission... Read More

Fostering the practical interpretation of GDPR with Codes of Conduct

(May 22, 2018) Europe’s new privacy rules avoided phrasing the regulation too detailed where appropriate and kept the law abstract and based on principles, in part considering the speed and disruptiveness of technical innovation. However, the GDPR did not leave those areas free from oversight. The regulation emphasizes business responsibilities and grants advantages for those who voluntarily self-regulate by making themselves subject to a co-regulated code of conduct. CoCs invite all businesses, especially mic... Read More

Sweden's open society is clashing with EU privacy law, and regulators are frustrated

(May 22, 2018) While the General Data Protection Regulation will this week come into effect across the European Union, some companies in Sweden have nothing to fear — for now at least — thanks to a peculiarity of Swedish free-expression law.  In Sweden, a country famous for its open society, those publishing information in databases can get a "publisher's license" that protects what goes in there, as long as the database is publicly available and the contents can only be amended by an editor or a board of edi... Read More

What role can internal auditors play in GDPR compliance?

(May 22, 2018) Internal auditors ranked EU General Data Protection Regulation compliance as a top priority in the run-up to May 25, 2018. Knowing that penalties under the GDPR can amount to 4 percent of global annual turnover, many heads of internal audit are including a review of this area within their annual internal audit plans. As a function that has a holistic view of the organization, internal audit plays a role in evaluating the organization’s GDPR compliance. By taking up the role of a strategic partne... Read More

How to approach DPIAs under the GDPR

(May 22, 2018) The guiding principles of the General Data Protection Regulation stimulate organizations to address the issue of compliance with an approach based on continuous risk assessment. The correct implementation of a GDPR compliance model obliges organizations to review the bureaucratic and paper-based approach adopted so far, especially in Italy, to monitor the issue of privacy and to arrive at a concept of accountability. Technological innovation continually proposes new tools for an increasingly c... Read More

Implementing appropriate security under the GDPR

(May 22, 2018) The GDPR is finally here, and things like data mapping, DPIAs, consent management, and data subject rights have been on everyone’s mind leading up to its arrival. While these operational requirements are obvious for many companies, some others have flown under the radar. One in particular that we have received questions about from our customers at OneTrust is the requirement for appropriate security. Security of processing Security of processing is a foundational principle of the GDPR. Under A... Read More

Encouraging a self-resolution approach under the accountability principle

(May 22, 2018) The strong emphasis on the accountability principle in some regulations allows organizations to resolve complaints or disputes relating to the data protection (or data privacy) provisions through alternate dispute resolution mechanisms, such as conciliation, negotiation or mediation, or even arbitration. For instance, the Personal Data Protection Act 2012 of Singapore establishes the possibility that any complaint by an individual against an organization might be more appropriately resolved thr... Read More