All posts in GDPR

Cartoon: GDPR’s Scope

Daniel Solove
Founder of TeachPrivacy

Cartoon GDPR Scope

I turned my short GDPR vignette about GDPR’s territorial scope into a cartoon.  The GDPR applies not just to all EU organizations that process personal data.  The GDPR also applies to non-EU established organizations that offer goods and services to EU citizens or that monitor behavior within the EU.

The GDPR thus has quite a long arm in its reach.  Any organization, even those with no physical presence in the EU, can fall under the scope of the GDPR.

Continue Reading

The International Privacy+Security Forum

Daniel Solove
Founder of TeachPrivacy

International Privacy+Security Forum

The International Privacy+Security Forum (February 26-27, 2018 in Washington DC) is next week.

The International Forum is a new annual sister event to the Privacy+Security Forum, an annual event held in October at George Washington University in Washington, DC.  The regular Privacy+Security Forum will be in its 4th year in 2018.  This past year, we had 800 participants.

Paul Schwartz and I created the International Forum to recognize the profound importance of international privacy and security law, not just abroad, but here in the United States.

We have 100 speakers and 30+ sessions.

Continue Reading

GDPR Cartoon: Lawful Processing

Daniel Solove
Founder of TeachPrivacy

Cartoon GDPR Lawful Processing

This cartoon focuses on the lawful processing requirement.  Under the EU’s General Data Protection Regulation G(DPR), the collection and processing of personal data must be for “specified, explicit and legitimate purposes.”   This is in contrast to the United States where the processing of personal information is permitted unless a law forbids it.

Under the GDPR, data processing must be “lawful” – it must be justified by a legitimate purpose in order to be permissible.  Article 6 of the GDPR sets forth the grounds for the lawfulness of processing personal data.  These grounds include the consent of the data subject, when processing is necessary to perform a contract where the data subject is a party, when processing is necessary to comply with a legal obligation, when processing is necessary to protect a person’s vital interests, or when processing is necessary to perform a task carried out in the public interest.  The final ground for lawful processing is when processing is necessary for the “legitimate interests” of a data controller or third party.

It is far from clear that there are legitimate interests in the cartoon above.  Organizations often think that “legitimate interests” mean any interests that are important to their business, but that’s not the case.  This ground for lawful processing is much narrower.  And, legitimate interests must not be overridden by the data subject’s interests or rights.

Continue Reading

Key WP29 Documents for GDPR

Daniel Solove
Founder of TeachPrivacy

EU Article 29 Working Party GDPR Guidance

The Article 29 Working Party was created by the EU Data Protection Directive in 1996.  Its purpose is to provide advice, opinions, and guidance about data protection.  The Article 29 Working Party is composed of a representative from each EU member state.  The General Data Protection Regulation (GDPR) will replace the Working Party with the European Data Protection Board (EDPB).

Below are some of the most important guidelines to be issued by the Article 29 Working Party (WP29) about the General Data Protection Regulation (GDPR).

Right to Data Portability (WP 242)

Guidelines on the right to “data portability” (wp242rev.01)

Data Protection Officers (WP 243)

Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Continue Reading

Cartoon on GDPR Vendor Management

Daniel Solove
Founder of TeachPrivacy

 

Cartoon GDPR Vendor Management TeachPrivacy GDPR Training

This cartoon depicts the challenges of complying with GDPR’s requirements for vendor management.   Under the GDPR, there are serious responsibilities when using a vendor to process personal data.  Broadly, there are three things that data controllers must do:

1. Data controllers must perform due diligence in selecting vendors and that are complaint with GDPR.

2. Data controllers must have a contract with their vendors that includes certain provisions to ensure that GDPR is being followed.

3. Data controllers must monitor vendors for compliance.

Vendors must also comply with the GDPR.

Continue Reading

GDPR Training, Writings, and Resources: Roundup from the Past Year

Daniel Solove
Founder of TeachPrivacy

General Data Protection Regulation - GDPR - Training Resources by Prof. Daniel Solove

The General Data Protection Regulation (GDPR) is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs.  In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task.

GDPR Whiteboard

GDPR Whiteboard - TeachPrivacy Privacy Awareness Training 02 small

200+ pages of the GDPR summarized into 1 page! Download it for free here. This one page visual summary of  GDPR will help you and your workforce understand many of the key elements associated with this law including Territorial Scope, Lawful Processing, Rights of Data Subjects, Enforcement and more.

GDPR Interactive Whiteboard

GDPR Whiteboard Interactive - TeachPrivacy GDPR Training

I created a new highly-interactive version of the GDPR Whiteboard (~5 mins) — a computer-based module that can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in a learning management system (LMS)

The GDPR Interactive Whiteboard adds a new level of engagement to the analog GDPR Whiteboard. and can be used in tandem with the analog version or in lieu of it.

A Guide to GDPR Training

A Guide to GDPR Training will answer many of your questions about implementing workforce privacy awareness training.

The GDPR mandates that all staff “involved in the processing operations” receive privacy awareness training. In general, the Data Protection Officer (DPO)  is tasked with ensuring that all training requirements have been fulfilled. A comprehensive GDPR training program should include:

  • basic privacy awareness training for your general workforce
  • advanced training for personnel who need more detailed knowledge of GDPR
  • role-based training specific to an individual’s job function.

I have several training courses to help organizations meet the GDPR requirements, such as the ones below plus courses on Privacy by Design, vendor management, risk and trust, and other important privacy topics.

GDPR (Short Introductory Course ~ 7 Mins)

GDPR Training

This course provides an overview of the GDPR. It also explains the importance of GDPR compliance and the severe penalties that may be imposed for non-compliance. It is suitable for both lawyers and non-lawyers . This course can also be offered in conjunction with other courses in our series  –  Privacy Shield and European Union Privacy Law.

COURSE OUTLINE:

  • Structure
    Scope
    Personal Data
    Sensitive Data
    Data Controllers and Data Processors
    Supervisory Authority
    Enforcement
    Rights and Responsibilities
    International Data Transfer
  • Rights and Responsibilities
    Transparency
    Purpose Specification and Minimization
    Consent
    Right to Erasure
    Right to Data Portability
    Data Protection by Design
    Data Protection Impact Assessments
    Record of Data Processing Activities
    Data Breach Notification
  • International Data Transfer

Global Privacy and Data Protection
(Privacy Awareness Course ~20 Mins or ~30 Mins)

 

 This course (~20 minutes or 30 minutes) is designed to provide basic privacy awareness to the workforce of global organizations.  I updated this program for GDPR.  The course focuses on three main issues:

  • Why is privacy important?
  • What is personal data?
  • How do we protect privacy?

COURSE OUTLINE:

  • The Purpose of this Training
    Personal Data
    People Care About Privacy
    Your Role
  • Why We Protect Personal Data
    Respect
    Preventing Harm
    Trust
    Reputation
    Legal Compliance
    Contractual Compliance
  • What is Personal Data?
    Identifying Personal Data or PII
    Sensitive Data
  • Data Collection
    Lawful Basis
    Data Collection Limitation
  • Data Handling and Processing
    Limited Access
    Confidentiality
    Security Safeguards
  • Use of Personal Data
    Purpose Specification
  • Individual Knowledge and Participation
    Notice
    Access and Correction
    Consent
    Right to Erasure
    Right to Data Portability
  • Transfer and Sharing of Data
    International Transfers of Data
    Sharing Data with Third Parties
  • Accountability
    Privacy by Design
    Ask the Privacy Office

GDPR’s Broad Scope: A Short Vignette

GDPR Humorous Vignette

Please check out our humorous 1-minute video vignette about the GDPR.

CARTOONS

Preparing for GDPR

 

Taking Privacy Seriously

cartoon-gdpr-training-privacy-shield-training-01

Beyond GDPR: The Challenge of Global Privacy Compliance — An Interview with Lothar Determann

Daniel Solove
Founder of TeachPrivacy

For multinational organizations in an increasingly global economy, privacy law compliance can be bewildering these days. There is a tangle of international privacy laws of all shapes and sizes, with strict new laws popping up at a staggering speed. Federal US law continues to fade in its influence, with laws and regulators from abroad taking the lead role in guiding the practices of multinational organizations. These days, it is the new General Data Protection Regulation (GDPR) from the EU that has been the focus of privacy professionals’ days and nights . . . and even dreams.

As formidable as the GDPR is, only aiming to comply with the GDPR will be insufficient for a worldwide privacy compliance strategy. True, the GDPR is one of the strictest privacy laws in the world, but countries around the world have other very strict laws. The bottom line is that international privacy compliance is incredibly hard.privacy, privacy training, GDPR

This is what Lothar Determann focuses on. For nearly 20 years, Determann has combined scholarship and legal practice. In addition to being a partner at Baker & McKenzie, Lothar has taught data privacy law at many schools including Freie Universität Berlin, UC Berkeley School of Law, Hastings College of the Law, Stanford Law School, and University of San Francisco School of Law. He has written more than 100 articles and 5 books, including a treatise about California Privacy Law.

Hot off the press is the new third edition of Lothar Determann’s terrific guide, Determann’s Field Guide to Data Privacy Law: International Corporate Compliance.  Determann has produced an incredibly useful synthesis of privacy law from around the globe. Covering so many divergent international privacy laws could take thousands of pages, but Determann’s guide is remarkably concise and practical. With great command of the laws and decades of seasoned experience, Determann finds the common ground and the wisest approaches to compliance. This is definitely an essential reference for anyone who must navigate privacy challenges in the global economy.

Continue Reading

The Hidden Force That Will Drive GDPR Privacy Compliance

Daniel Solove
Founder of TeachPrivacy

GDPR Compliance

 

The clock is ticking on getting ready to comply with the EU General Data Protection Regulation (GDPR). EU regulators will start enforcing it on May 25, 2018.

GDPR is less than a year away, and it’s quite a challenge to get ready for. Becoming compliant is not something that can be achieved overnight, or in a week, or in a month, or even in quarter.  A lot of privacy and security controls must be put into place or adapted to satisfy new EU standards and rights.

.

Continue Reading

Preparing for GDPR: A Year to Batten Down the Hatches

Daniel Solove
Founder of TeachPrivacy

The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018.  The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.

Continue Reading

The U.S. Congress Is Not the Leader in Privacy or Data Security Law

Daniel Solove
Founder of TeachPrivacy

Capitol Sinking 01

A common myth is that the U.S. Congress is a leader in creating privacy and data security law.  But this has not been true for quite some time.  Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.

In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws.  Here are some of the most prominent of these statutes:

Continue Reading

Congress’s Attempt to Repeal the FCC Internet Privacy Rules: The Void Will Be Filled

Daniel Solove
Founder of TeachPrivacy

FCC Privacy Rules Repealed

Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs).  The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements.  Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications.  The rules required reasonable data security protections as well as data breach notification.

FCC LogoThis development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed.  There are many other regulators and sources of privacy law to fill the void.

Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules.  They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.

Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry.  In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies..  But nature abhors a vacuum.  Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU.  They are far more likely to regulate privacy even more stringently than the FCC or FTC.

In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation.  This is what happened with data security regulation and data breach notification.  Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law.  But it failed to act.  Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws.  Instead of having to comply with one law, companies must navigate laws in many states.  The most common strategy for companies operating in all states  is to try to follow the strictest state law,  Thus, the de facto rule is the law of the state with the most strict protections.

Continue Reading

Privacy Cartoon: Privacy Budget vs. Security Budget

Daniel Solove
Founder of TeachPrivacy

 

Cartoon Privacy vs. Security Budget

My cartoon depicts the discrepancy in the security and privacy budgets at many organizations.  Of course, the cartoon is an exaggeration.  In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were.  That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.

Fortunately, it does appear that privacy budgets have increased according to the 2016  IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world.  Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.

Continue Reading

GDPR Cartoon: Taking Privacy Seriously

Daniel Solove
Founder of TeachPrivacy

cartoon-gdpr-training-privacy-shield-training-02

I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy.  More work gets thrown onto the shoulders of under-resourced privacy departments.

It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization.  Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018.  It’s never too early for organizations to start preparing.  GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases.  For more information, see the FAQ page I created about the GDPR and privacy awareness training.

Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take.  Privacy office budgets and sizes should be going up by a lot these days.

Continue Reading

Privacy Shield Training

Daniel Solove
Founder of TeachPrivacy

Privacy Shield Training Course

I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework.  Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US.  Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.

Continue Reading

A New US-EU Safe Harbor Agreement Has Been Reached

Daniel Solove
Founder of TeachPrivacy

EU-US Privacy Shield Safe Harbor Training

Last year, the death of the US-EU Safe Harbor Arrangement sent waves of shock and despair to the approximately 4500 companies that used this mechanism to transfer personal data from the US to the EU.  But a new day has dawned.

Continue Reading