Did you miss our webinar on Europe’s GDPR and data protection trends throughout the globe?
Don’t worry! The event’s full transcript is now available for your perusal.
Plenty of thanks to our panelists Nick Skrekas, IAPP’s Sam Pfeifle and Privacy International’s Tomaso Falchetta for taking the time to talk to us about the GDPR and answering our community’s questions on data protection.
Please feel free to download the transcript and make sure to share it with your network.
Also, if you have any follow-up questions for our panel, don’t hesitate to submit them below.
Here are some of the event’s main highlights!
What are the main principles of GDPR?
“There are actually six principles outlined in Article 5 of the regulation, but there is also one seventh principle, which is implied… The first one… is lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and transparently… The second one is purpose limitation. Personal data can only be collected for specified, explicit and legitimate purposes. The third one is data minimization. Personal data must be adequate, relevant and limited to what is necessary for processing… [Then comes] accuracy… personal data must be accurate and kept up-to-date. The fifth one [is] storage limitation. Personal data must be kept in a form such that the data can be identified only as long as necessary for processing. And the sixth [is] integrity and confidentiality. Personal data must be processed in a manner that ensures its security… The seventh one, which is implied in Article 5, is that the data controller [is] responsible for demonstrating this, and they must secure the same assurances from any external data processes.”
“These principles, for people who are in the data protection community, aren't new. This is something that goes back to the OECD and even some of the work that was being done in the 1960s in the United States… What's impressive or important or different here is that we now have them ensconced in the EU-wide log… If you have not been doing these things, you are definitely going to have to change the way you do business.”
What does personal data actually constitute?
“With the development of new technologies and the ways you can identify an individual from a particular data set or a combination of data sets… makes the concept of personal data a sort of dynamic concept... And the courts, definitely the Courts of Justice of the European Union, help to identify some of the borderline cases.”
“I would encourage people to think of it very broadly; any data that you can use to figure out who a specific person is, that’s personal data. And the law is not going to give you a list of all the data that you need to keep track of… The GDPR is purposely vague to account for changes in technology, so there is no big giant spreadsheet that anybody can point to that says, ‘Here, these are all the types of personal data.’ You really need to think deeply about the data that you’re collecting.”
Who does the GDPR actually affect?
Nick Skrekas: “Every company in Europe is covered by the regulation… It also covers companies outside of the EU who are looking to sell goods or products to EU residents, not necessarily citizens… and also applies to companies outside of the European Union who are simply monitoring residents of the EU. So there is an extra-territorial effect here.”
Sam Pfeifle: “If you are doing business even remotely globally, if you want to sell even one item to someone who lives in the EU, if you have any employees in the EU, you should consider yourself covered by the GDPR.”
What responsibilities would a company have under this new regulation?
Nick Skrekas: “If you are a controller, you have a lot more obligations. You need to be taking operational and technical measures to make sure that the data that you have is safe. You also need to respect the regulation in the sense that you must have a legitimate interest in the kind of data that you are looking at. You need to have confidentiality, non-disclosure agreements with all your staff, and, more than that, all staff should not have access to the personal data, it should be on a need-to-know basis… [Also], as part of the regulation, they have obligations as a company, whether you are a processor or whether you are a controller, to report any data breaches within 72 hours of you finding out they did to the supervisory authority.”
Tomas Falchetta: “One that is quite important is the requirement for data protection by default and by design… When you think about processing personal data, you need to put in place a way [by which] basically you process the least that is necessary. So this kind of default data protection minimization is very important.”
Sam Pfeifle: “I think the biggest responsibility is to understand the data that you hold and the consent that is attached to it… Because it’s everything. It’s the data on individual hard drives, it’s the data on thumb drives, it’s the data on servers, it’s the data that you hold in cloud accounts, it’s the data on your Dropbox… it’s the data on your email, it’s the data on bring your own device, phones and laptops, and iPads. It is not a simple thing to track that data, and it is not a simple thing to track the consent that is attached to that data.”
What is a data protection officer and which companies need to appoint a DPO?
Sam Pfeifle: “The data protection officer has a very specific role in the GDPR. Many companies use data protection officer as a little bit of a catchall term for their privacy leader or for someone on a privacy team. Now, once the GDPR comes into force, the data protection officer is a legally prescribed role with very specific duties… It is not clear who has to have a mandatory DPO or not, but I think it’s wrapped up in two core questions. The first question is: Is data processing core to what you do as a business? If you are doing data processing as the way you make money, you definitely need to have a mandatory DPO… The second question is: Do you handle particularly sensitive data? There are certain types of data that are particularly sensitive in the GDPR, things like health data, sexual orientation data, whether you're in a labor union data, those data that are particularly tied into your ability to exercise your rights of freedom. So even if your core business is not processing data, but you’re storing that data even a little bit, you really need to have a data protection officer, because the GDPR will bring the harshest fines if you are not processing that sensitive data correctly.”
Under the GDPR, how does the company obtain consent?
Nick Skrekas: “Consent must be freely given, specific, informed and unambiguous. Silence, pre-ticked boxes or inactivity aren't permitted as consent. And consent has to be consent to all the processing activities, not just some of them.”
What rights will individuals have under GDPR?
“The key element here is that the data subject is put in a position to know what data is processed about him or herself. The data subject is in a stronger position to actually control the processing of the data, which includes the right to seek for rectification of the data, erasure of the data, and a limitation or restriction of the processing of the data or objecting to processing in certain cases. Another right that has come out, and I know has kind of created a lot of discussion because it’s a relatively new right, is this right to data portability.”
For the full transcript, click HERE