LabMD and the new definition of privacy harm

(Aug 22, 2016) If a tree falls in the woods and there’s no one around to hear it, does it make a sound? According to the Federal Trade Commission, yes it does. In its recent LabMD ruling, the FTC found that the mere fact that sensitive medical records were publicly available, without any evidence that consumers suffered any adverse effects or were even aware of the breach, was enough to support a finding of substantial consumer injury. In so finding, the LabMD decision offers the most detailed portrait yet of ... Read More

We’ve got a finalized Privacy Shield agreement: What’s new?

(Jul 12, 2016) The first draft of the EU-U.S. Privacy Shield, released in February, received intense scrutiny from the likes of the Article 29 and Article 31 working parties, the EU Parliament, the European Council, and various industry groups. Today, the European Commission and U.S. Department of Commerce released a final draft, incorporating and addressing that feedback. So, what changed? In this piece for Privacy Tracker, IAPP Westin Fellow Gabe Maldoff, CIPP/US, identifies the edits and looks at what they ... Read More

How GDPR changes the rules for research

(Apr 19, 2016) The General Data Protection Regulation (GDPR) will come into effect in the spring of 2018, replacing the Data Protection Directive 95/46/EC and imposing new obligations on organizations that process the personal data of European Union residents. While the Regulation aims to bolster privacy rights, it arrives as a centerpiece of the EU Digital Single Market, an initiative designed to boost digital innovation within the EU. By harmonizing privacy legislation across the EU member states and carvin... Read More

The Risk-Based Approach in the GDPR: Interpretation and Implications

(Mar 29, 2016) IAPP Westin Fellow Gabriel Maldoff, CIPP/US, examines the EU General Data Protection Regulation's risk-based approach to data protection in this white paper. Throughout the GDPR, organizations that control the processing of personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Although the GDPR is silent on how organizations should assess and quantify risk, certain trends emerge from the sections where risk does appe... Read More

Top 10 operational impacts of the GDPR: Part 10 - Consequences for GDPR Violations

(Mar 23, 2016) The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

We read Privacy Shield so you don't have to

(Mar 7, 2016) The European Commission recently released details of the new Privacy Shield framework designed to heighten protections for transferring European Union residents’ personal data to the U.S. Although its approval faces procedural hurdles, Privacy Shield could provide a much-needed solution for organizations seeking to respond to Safe Harbor’s invalidation. At more than 130 pages, the Privacy Shield package is dense, and potentially daunting. But never fear, we here at the Westin Research Center hav... Read More

Top 10 operational impacts of the GDPR: Part 9 - Codes of conduct and certifications

(Feb 24, 2016) The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non... Read More

Top 10 operational impacts of the GDPR: Part 8 - Pseudonymization

(Feb 12, 2016) The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Top 10 operational impacts of the GDPR: Part 7 - Vendor Management

(Feb 4, 2016) The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Top 10 operational impacts of the GDPR: Part 6 - RTBF and data portability

(Jan 25, 2016) The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More