New Guidance about Transparency: Notices Must Be Accurate, Clear and Easy To Locate

Important guidance about the General Data Protection Regulation’s (GDPR) transparency requirements has been released from Europe. The Article 29 Working Party, an advisory body that oversees data protection in the EU, issued a paper that provides practical guidance and clarity about the obligations of data controllers with respect to informing individuals about the collection, use and protection of their data. The GDPR requires that notices must: be concise, transparent, intelligible and easily accessible (Article 12.1); use clear and plain language (Article 12.1); the requirement for clear and plain language is of particular importance when providing information to children (Article 12.1); be provided in writing “or by other means, including where…

READ MORE

Preparing for May 25th, 2018: GDPR Compliance Requires More Than Technology Solutions

Whether you are in the IT department or on the legal team, in recent weeks you’ve no doubt received announcements and advertisements offering technology solutions that promise to help you “achieve GDPR readiness.” While these products can help address certain compliance issues, it’s important to understand their limitations – and that GDPR compliance requires more than technology solutions. Before any tool can be useful, GDPR demands a combination of review, risk analysis and thoughtful decision-making on the part of your company. While software solutions can help with discrete tasks – data mapping, controlling and monitoring who has access to data, and managing consent, to name a few –…

READ MORE

U.S. Regulators Convene Workshop on Privacy Risks and Harms

Compliance with the European Union’s General Data Protection Regulation (GDPR), scheduled to take effect in May 2018, has taken center stage for companies. But it is important to remember that regulators in the U.S. continue their own work to protect the privacy interests of consumers. The Federal Trade Commission (FTC) took the spotlight on December 12, 2017, when it hosted a one-day workshop titled “Informational Injury” in Washington DC. The event brought together a variety of stakeholders – including industry representatives, consumer advocates, academics and government researchers – to discuss issues related to the injuries consumers suffer when information about them is misused. In opening remarks, Acting FTC Chairwoman…

READ MORE

EU Releases Guidance About the Requirements for Obtaining Valid Consent Under GDPR

Last month, companies working toward compliance with the European Union’s General Data Protection Regulation (GDPR) received guidance about the new law’s consent requirement. The Article 29 Working Party, the advisory body that oversees data protection in the EU, issued a paper that provides practical advice about steps companies must take to ensure the consents for data processing they obtain from consumers are valid under the GDPR. The GDPR provides that for consent to be valid, it must be freely given, specific to the stated purpose for the processing, informed, and based on a clear, affirmative indication given by the data subject. The document provides advice about how regulators interpret…

READ MORE

Uber Breach Highlights Data Security Risks that Exist for All Companies and the Steps Needed To Address Them

In November, Uber disclosed a security breach that occurred in October 2016, when hackers stole from a third-party server data about 57 million Uber drivers and riders. The company also revealed that they took affirmative steps to keep the data breach secret. The New York Attorney General’s office is opening an investigation of the incident, and members of Congress have sent letters to Uber demanding additional details about the breach. This case highlights the importance of having in place appropriate data security, and a plan to respond to security breaches –  to any company. Data security is critical to a company’s brand, reputation and market trust. A company’s…

READ MORE

The Five Essential Elements of Accountability Under the GDPR Every Business Should Know

The General Data Protection Regulation (GDPR), which comes into effect in May 2018 (only six months from now) has been the subject of countless conference discussions, press stories, and company meetings about the challenges of compliance. The GDPR is a lengthy and complex read, and its requirements – ranging from detailed consent requirements to the need to conduct data protection impact assessments – can seem daunting. What is often lost in the concern about specifics is that the most important change the GDPR represents is the shift in thinking it requires. The GDPR provides that companies change their mindset from one of “check-box” compliance to accountability. It requires…

READ MORE

Technology for GDPR Compliance Will Cost Top U.S. Firms $1 Million

A new survey conducted by Paul Hastings LLP provides a serious reminder that the cost associated with EU General Data Protection Regulation (GDPR) compliance is staggering, and that to be ready to comply when the regulation goes into effect on May 25, 2018, U.S. companies must act now. U.S. firms in the Fortune 500 will spend an average of $1 million on GDPR compliance technology alone. Currently, only 9 percent of U.S. companies surveyed have purchased new technology and just 34 percent have allocated the appropriate budget to hire the additional staff necessary to meet regulatory demands. The consequences of GDPR violation are immense, with fines of up to $22.4…

READ MORE

Achieved Compliance Participates in the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong

Last month, Achieved Compliance attended the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong, hosted the event, which was attended by over 3,000 data protection authorities, privacy professionals, industry representatives and non-governmental organizations. The Commissioners’ Conference convenes annually and offers one of the best opportunities to learn not only about the current state of data protection law, but to understand what is top-of-mind for regulators and what new challenges they see on the horizon. Among its goals is to promote and enhance personal data protection and privacy rights around the world, and to provide a forum…

READ MORE