What do you get when you put an Englishman in charge of information privacy? A lot of experience, ideas, and expertise when it is Ralph O’Brien. With all the news on the Coronavirus, one could almost forget there are still Brexit negotiations taking place. There is still a question whether the United Kingdom can obtain an adequacy decision from the European Union. Is the UK data protection legislation enough to offer an “essentially equivalent” level of data protection? What are the British views on using and protecting personal data? What about national surveillance? And how does this all tie in to the life and work of a privacy consultant? These topics and more will be addressed in this episode with Ralph – a highly respected privacy professional located in the United Kingdom.
The conversation takes us from how Ralph first entered privacy and the considerations and areas of focus at that time to how privacy has evolved. As we can imagine, the world of privacy, including Brexit issues, has dramatically changed and not all changes are necessarily good. Listen as Ralph shares his thoughts on data privacy, technology, the privacy profession, and Brexit – including what caused him to “go ballistic” on Twitter. Listen to this week’s episode on our website or stream the episode below.
The global pandemic caused by COVID-19 has affected most companies and for many requires operational changes in order to move forward. In light of the uncertainty, TrustArc has provided access to the latest guidance and other helpful information to assist companies as they plan to reopen.
COVID-19: Privacy Risks & Considerations eBook
As the conversation shifts from how to create a remote workforce to how to reopen the physical office, this eBook provides privacy risk guidance for businesses during the COVID-19 pandemic. Download the free eBook here.
The COVID-19 Comparison provides summarized analysis from 100 regulators on the following topics:
- Whether certain legal exceptions apply, such as for public health, healthcare, public interests, or vital interests;
- What can be collected from employees and visitors;
- Requirements related to disclosure of confirmed cases; and
- Processing of location data
Download the Comparison Chart here.
TrustArc has developed regional maps showing regulators' guidance on returning to work after COVID-19. Download the PDFs: United States, Canada, European Union & United Kingdom
- Providing guidance for employers navigating privacy and security issues; and
- Discussing the privacy implications of new mobile technologies tracking individuals to prevent the virus’ spread.
Serious Privacy Podcast
Serious Privacy podcast discusses COVID-19’s impact on privacy in the following episodes: COVID-19 Part 1, COVID-19 Part 2, Tech Talk: Innovation during COVID-19, Privacy on the Front Lines: A View from LA, and Returning to Work.
Privacy Insight Series Webinar
Watch our on-demand COVID-19 webinar to learn how employers can ensure good data protection and governance practices in these special times.
The 25th of May 2018 will be a day that is forever etched into our memories. It is a day we had been working towards for well over seven years by the time it arrived. For those of you who don’t remember – it is the day the GDPR entered into application. What other topic could we possibly discuss in today’s Serious Privacy episode other than the first GDPR review? The serious question is – is it time to celebrate?
Let’s look at lessons we learned over the past two years and review activities by consumers, businesses, and regulators. You will get both the U.S. and the European perspective, and we have a special guest for this episode – TrustArc’s own CEO, Chris Babel. Chris brings with him decades of experience in both security and privacy and has a front row seat in most privacy initiatives. Being in security when it first ramped up in compliance requirements provided Chris with a solid understanding of how compliance initiatives grow, including funding challenges. We discuss the good, the bad, the ugly – and the promise of GDPR. Listen to this week’s episode on our website or stream the episode below.
The European General Data Protection Regulation (GDPR) this week celebrates its second anniversary. For many organisations, it may seem that the GDPR has become business as usual; one of many elements of their global compliance strategy. For many others, it remains a continuous struggle.
The two year anniversary is an important milestone for the GDPR, since this is the moment the European Commission was supposed to present the first evaluation of the application of the Regulation. Unfortunately, the report has been delayed until the start of the summer. Some of the lessons learned are nevertheless crystal clear.
Overall, the GDPR has been a success
In preparatory analysis for the European Commission’s review, the EU Member States, the European Data Protection Board (EDPB – the assembly of all EU supervisory authorities) and even industry groups, like the Centre for Information Policy Leadership, all agree: overall, the GDPR has been a success. Especially in the private sector, the Regulation has seen a big increase of awareness for privacy and data protection issues. Many organisations have implemented far-reaching privacy programs, to ensure the personal data of their employees, business partners and customers is well protected. And if something goes wrong, they are much more forthcoming to report a breach than was the case in the past, if you look at the total number of data breaches reported thus far.
Also the ‘extraterritorial’ influence of the GDPR is noticeable. Countries around the world have adopted legislation to bring their own privacy laws more in line with GDPR, or are in the process of doing so. Think for example of Japan, where additional legal provisions and guidelines were adopted to ensure their privacy law could be declared adequate. A similar process is ongoing in South Korea. And in Brazil, the new omnibus privacy law LGPD is clearly inspired by the GDPR, as is the draft Indian privacy bill currently before Congress. That doesn’t mean these laws are exact copies of the GDPR: all countries have chosen to embed their laws in their own national legal traditions, but many of the newer concepts and compliance approaches introduced by GDPR have been copied.
The GDPR has not achieved one of its main goals: full harmonisation
One of the main points of criticism of the GDPR, is that it is a Regulation-in-name-only. That requires a bit of explanation. Under EU law, there are two main legal instruments: Regulations, which have direct legal effect in all EU Member States and in principle do not require national implementing laws, and Directives, which are only binding as to the goal they aim to achieve. Directives always require implementing laws in all EU Member States. The GDPR officially is a Regulation, and many of the provisions indeed have direct effect, and can be relied upon by organisations and individuals throughout Europe. However, on many details, like the use of special categories of personal data (including health data), additional national rules can be imposed, to either allow the processing of such data or to make it more difficult. The same goes for data used in an employment relationship and for research and statistical data. Also, the age at which minors can provide consent for online services varies from country to country, between 13 and 16 years. This means the original goal to have “one single privacy rule for the whole of the European Union” has not been completely achieved. The core of the Regulation has been harmonised, but many important details have not.
What also hasn’t been fully harmonised, is the approach supervisory authorities should take when enforcing the law. The GDPR provides the main elements of what an investigation should look like and how authorities should consult each other, but the process itself is run on the basis of national administrative law. These laws fall outside the scope of EU legislation, and thus are not harmonised.
Supervision and enforcement of the GDPR remains a struggle
Also more in general, the supervision and enforcement of the GDPR is not an unequivocal success. Many had expected – and sometimes hoped – that data protection authorities would start imposing multimillion euro fines from the moment the GDPR went into application. That seems not to have been the case. Especially some high profile complaints brought by civil society groups like NOYB (none of your business, led by the Austrian Max Schrems) and Privacy International, are still awaiting a decision by the competent authorities. But that doesn’t mean the GDPR has not been enforced at all.
At the start of 2020, well over €115 million had been imposed in fines by the various data protection authorities. In addition, many authorities have taken other types of enforcement decisions, as allowed by the GDPR, from (public) warnings of non-compliance, to the suspension of processing operations. Many data protection authorities also make clear it sometimes suffices to have a phone call with a non-compliant organisation, to explain the correct interpretation and/or application of the GDPR. This may not be the most visible way of enforcement, but it is a really effective one.
The main hurdle for data protection authorities is a lack of resourcing and funding. Two-thirds confirm they do not have sufficient resources to deal with all the complaints received from individuals, as well as with the requests from companies for guidance and approval of certifications and international transfer instruments. Also the Council and CIPL conclude in their GDPR evaluation reports that underfunding of data protection authorities is a risk for the effective implementation of GDPR.
With only two years experience in working with the GDPR in practice, almost everyone agrees that it is too soon to start discussing any possible changes to the text of the Regulation. For now, Member States, supervisory authorities and industry seem content with more (detailed) guidance from the EDPB. At the same time, they note the reform of the data protection legislation in Europe is still not completed. The ePrivacy Regulation, which shall provide the specific rules for online data protection in line with the standards and principles of the GDPR, is still in the legislative process, with no agreement on a final text of the Regulation in sight. The hope is the German presidency of the Council from July onwards will be able to make some progress in this file.
Describe your perfect privacy career. Do the words “vibrant,” “brilliant,” and “high energy” come to mind? Back when we still had privacy conferences and trade shows, you could sometimes meet someone that was so vibrant, so enthusiastic and so interesting, they would make the whole event. Emerald de Leeuw, Privacy Lead in EMEA for Logitech is that kind of person. She is a fellow Dutchie to Paul and calls Ireland her home. She is an entrepreneur with a brilliant privacy mind, but allegedly also serves up a mean cocktail.
We speak about building out a career in privacy, being underestimated and staying sane while working hard. We also talk about the challenges that a woman in privacy and tech faces, whether at the beginning of her career, or even when she is established and successful. Being underestimated is just one of those challenges. Emerald also opens up about her career champions and the importance of being authentic as a professional. Listen to this week’s episode on our website or stream the episode below.