IAPP Final Flashcards
Human RIGHTS LAWS
Universal declaration of Human Rights - founded by united nations
/1948 declarations are non binding
Council of Europe founded after war in 1949
ECHR - (ECHR) The European Court of Human Rights in Strasbourg, France,
/ 1953 (TREATY) - founded by Council of Europe
1948 Universal declaration of Human Right /declarations are non binding
1 - right to a private life / human right to privacy -
2 - freedom of expression / right to free speech (not absolute and a balance must be struck)
- regardless of frontiers
3 - balance between right to privacy and right to free speech / indiv rights are not absolute and must be a balance
1949 Council of Europe founded after war
Not an EU org - 47 Member States
Upholds PRIVACY and data protection laws through its enforcement of the European Convention on Human Rights and 1981 - Convention 108 .
1953 The European Court of Human Rights (ECHR) in Strasbourg, France, (TREATY) - founded by Council of Europe
which interprets the European Convention on Human Rights.
European Court of Justice (CJEU) The court was established in 1952, by the Treaty of Paris (1951)
is the supreme court of the European Union in matters of European Union law.
The Court of Justice of the European Union (CJEU) interprets EU law to make sure it is applied in the same way in all EU countries, and settles legal disputes between national governments and EU institutions.
It can also, in certain circumstances, be used by individuals, companies or organisations to take action against an EU institution, if they feel it has somehow infringed their rights.
CJEU can force national governments to implement and honour EU law the ECHR cannot
Timeline of privacy
1973 - first data protection law in Sweden called the data act
1949 Council of Europe founded after war
Not an EU org - 47 Member States
The Organisation for Economic Co-operation and Development
1976, OECD - Guidelines for Multinational Enterprises
NOT LEGALLY BINDING
The Guidelines provide non-binding principles and standards for responsible business conduct in a global context
seven principles of the OECD
Access –
Accountability –
Notice –
Purpose –
Consent –
Security –
Disclosure –
1981 - Convention 108 (data transfers & automatic processing )
Council of Europe / Treaty
- UNIQUE AS BINDING - WITH SIGNATURE (first legally binding international instrument in data protection)
- guidelines for processing special data
- regulate cross border flow
- enshrines rights to know that information is being stored & is correct
- fair and lawful collection
- specified legitimate purposes
- open to countries outside EU 54 countries
- provides for free flow of personal data between states party to the convention
- RAAN (proportionality)
- adequate as well as accurate
- automatic processing of data
- quality
Convention 108+ difficulties
- member states failed to adopt the OECD guidelines
- only a few states ratified and member states had adopted a fragmented approach
Oct 2018 Convention 108+ updated to align with GDPR
Some of the innovations contained in the protocol are the following:
proportionality and data minimisation principles,
lawfulness of the processing
Extension of the types of sensitive data, which will now include genetic and biometric data, trade union membership and ethnic origin.
Obligation to declare data breaches
transparency of data processing
New rights for the persons Automated decision-making context
Stronger accountability
Requirement that the “privacy by design” principle is applied
Application of the data protection principles to all processing activities, including for national security reasons,
transborder data flows
Reinforced powers and independence of the data protection authorities and enhancing legal basis for international cooperation.
1995 Data Protection Directive 95/46/EU
Proposed European commission
GDPR Replaces Data Protection Directive 1995
Regulates the processing of personal data in (EU) & balances the free movement of data. Each member state must set up a supervisory authority
Under the DPD, EU member states were free to adopt different data breach notification laws. This meant that when companies suffered data breaches in the EU, they had to research and ensure compliance with each member state.
1995 Data Protection Directive 95/46/EU created Article 29 Working Party (Art. 29 WP) with regard to the Processing of Personal Data”
Transfer of personal data to third countries (term used in legislation to designate countries outside the European Union)
The Working Party negotiated with United States representatives about the protection of personal data, the Safe Harbour Principles were the result
2000 E commerce directive
proclaimed issues of processing data outside it’s scope
2002 E Privacy
legally binding on member states req member state implementation
2006 EU Data Retention Directive scrapped in 2014
2009 - Treaty of Lisbon - strengthen and improve core functions of EU to improve efficiency , gives Charter of Fundamental Rights FULL LEGAL rights in EU
It instilled a institutional framework to make decision making faster and improve efficiency
European parliament
European council made intuitions so they can make binding decisions rather than advisory
The council
The European commission
CJEU
European central bank made intuitions so they can make binding decisions rather than advisory
court of auditors
2016 - GDPR becomes law enforceable on May 2018
GDPR Replaces Data Protection Directive 1995
Bodies of EU
European Parliament and European Council of EU shall Jointly determine budget and legislative functions. can influence EU spending
The data processing principles .
European Parliament
- only EU institution where members elected / the only democratic representation
European Parliament and European Council of EU shall Jointly determine budget and legislative functions. can influence EU spending
- supervisory oversight of other institutions
- development of budget
- It debates legislation.
It can pass or reject laws, and it can also make amendments (but not in all cases). Laws must also be passed by the Council of the EU in order to become law
Council of EU / otherwise known as council of ministers
Main decision making body of EU The Council is an essential EU decision-maker. …
European Parliament and European Council of EU shall Jointly determine budget and legislative functions. can influence EU spending
- one minster from each 28 member state depending on policy / ministers have power to commit their nations to council decisions
Negotiates and adopts EU laws.
Coordinates member states’ policies. …
Develops the EU’s common foreign and security policy.
Concludes international agreements. …
Adopts the EU budget.
European Commission
The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts.
includes:
- one commissioner per member state
- proposes policies and implements decisions and policies
- initiates legislation ONLY INSTITUITON which CREATES NEW LAWS
- executes the budget
- responsible for ensuring directives/treaties are implemented properly
- Makes ADEQUACY DECISIONS for data transfers
- creates model contracts
- gdpr consistency mechanism A means by which supervisory authorities co-operate with each other, and where relevant the European Commission, to ensure the consistent application of the GDPR throughout the EU
Legislative role - proposing legislation to the Parliament and the Council;
Implementation role - putting EU policies into effect;
Legal role - enforcing EU law jointly with the Court of Justice;
Representative role - representing the EU at highest international level
European Council
meets four times a year to define EU priorities and set political direction
The European Council brings together EU leaders to set the EU’s political agenda. High representative of foreign affairs and security policy (does not exercise legislative functions).
includes :
- heads of state of 28 members
- European council president
- European commission president
- parliament
European Court of Justice (CJEU)
the judicial body of the EU that makes decisions on issues of EU law and enforces law in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law.
The court is frequently confused with the European Court of Human Rights (ECHR), which oversees human rights laws across Europe, including in many non-EU countries, and is not linked to the EU institutions.
CJEU can force national governments to implement and honour EU law the ECHR cannot
The EU Directive on Privacy and Electronic Communications (2002/58/EC) (ePrivacy Directive)
QUESTION : EPrivacy known as Directive 2002/58 / Cookie Directive
eprivacy directive works with gdpr but on specific provisions of eprivacy takes precedent over more general provisions
eprivacy covers electronic communications over public communications networks
It sets out rules governing the processing of location, content and traffic data over a public electronic communications network or publicly available communications system includes telecommunications
(voice telephone calls, data, text, images, mms, video, fax, internet, email)
Postal - is not subject to edirective not electronic
Private network - if not publically available e’g’ corporate intranet - eprivacy rules do not apply
key principles:
- must take technical and organisation measure to safeguards security
- member states are required to ensure confidentiality of communication and traffic data
- person-to-person telephone marketing, does not require prior (opt-in) consent.
- Opt in exemption for businesses to send marketing to existing customers
- location data can only be processed as anonymous or with opt in consent for only duration necessary for provision of service
- traffic and billing data subject to restrictions / limited access
- tele comms carriers can process traffic data
- subscribers must be informed before being added to a directory
- confidentiality must be ensured and can’t be disclosed to third parties without consent
2011 amendments
- service providers must make user and national authority of data breaches where it is likely to adversely affect user
- users indiv/ orgs/ isps - can bring legal proceeding against unsolicited communications
- consent must be given for cookies
member states can introduce excepts for national security or law enforcement
The EU Directive on Electronic Commerce (2000/31/EC)
The e-Commerce Directive, adopted in 2000, sets up an Internal Market framework for online services. Its aim is to remove obstacles to cross-border online services in the EU internal market and provide legal certainty for businesses and consumers.
“any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service”
e.g. providing transmission of information via communication networks, online hosting, providing access to a communication network
4 step test determines if data qualifies as personal data
- 4 step test —— 1) any information 2) relating to 3) an identified or identifiable 4) natural person
4 step test determines if data qualifies as personal data
natural person is universal regardless of country of reissuance
GDPR scope
Territorial Scope (QUESTION where it applies)
QUESTION - what is forum shopping
the practice of choosing the court or jurisdiction that has the most favorable rules or laws for the position being advocated.
Material Scope (what it does not apply too)
Territorial Scope (just one of these criteria must be met for GDPR to apply)
1 When a processor or controller is based in EU - regardless of whether this takes place in the EU.
2- processing PI of DS when offering to sell goods or services to eu customers
3 monitoring indiv in EU (when controller/processor is not in EU)
3- processing of PI by a controller not in EU but where a member state law applies by virtue of public international law (ships, embassy’s/airplanes)
GDPR also applies to all countries in the European Economic Area (the EEA).
Material Scope
In scope:
1 Processing data wholly or partly by automated means without human intervention (not automated decision as it has different rules )
2 Processing data other than automated means of personal data which forms part of a filing system
Exclusions to material scope :
- activities outside the scope of EU law - i.e. national security, defence activities
- when member states is processing for foreign or security policy, personal data that becomes used for security purposes falls within this category
- prevention, detection, prosecution or investigation of criminal activities law enforcement and public security
- purely personal or household activities’
- eu institutions are not covered by GDPR
Personal data breach - actions controller/processor *8
Article 33
accidental destruction or loss
“If a processor acts without the controller’s instructions in such a way that it determines the purpose and means of processing, including to comply with a statutory obligation, it will be a controller in respect of that processing and will have the same liability as a controller.”
CONTROLLER- must communicate to SA in 72 hours without undue delay and may have to inform impacted DS
QUESTION - If Processor finds a breach it must tell Controller without undue delay
QUESTION - what should controller communicate to SA
- nature of the personal data breach
- DPO controller details
- the categories of data
- no of data subjects
- data subject categories
- no of personal data records
- describe the likely consequences of the breach
- describe the measures taken to mitigate
Exceptions:
- personal data intelligible / encrypted
- controller has taken steps/actions to prevent risk to rights and freedoms of DS
- would involve misappropriate effort could use press release
Controller & processor obligations
SECURITY of processing personal data *6
TECHNICAL AND ORGANISATIONAL MEASURES * 4
Controller & processor obligations SECURITY OF PROCESSING DATA
Take into account
- state of the art
- costs of implementation
- nature
- scope
- context and purposes of processing
- risk of varying likelihood and severity for the rights and freedoms of natural persons
TECHNICAL AND ORGANISATIONAL MEASURES
- Pseudonymisation or encryption
- ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
- ability to restore the availability and access to a personal data in a timely manner in case of incident
- process for testing, assessing and evaluating technical and organisational measures to ensure security
Contract stipulations for Processors with Controllers
QUESTION - an obligation to assist the controller in complying with controller obligations to notify SA - controllers must inform SA
“If a processor acts without the controller’s instructions in such a way that it determines the purpose and means of processing, including to comply with a statutory obligation, it will be a controller in respect of that processing and will have the same liability as a controller.”
Contract stipulations:
- process PI only on documented instruction from controller
- confidentiality commitments of those processing data
- technical and org measures
- assist controller in response to exercising indiv rights requests
- assist controller in obligations with SA’s when req
- make all info available to demo compliance
- delete and return data at end of processing or as instructed by controller
- contribute to audits
- immediately inform controller of infringes of GDPR or member state law
Data Sharing
Data Sharing
ART 35 DPIA - data protection impact assessment
processing which will likely require/trigger a DPIA:
(1) systematic and extensive use of AUTOMATIC PROCESSING or PROFILING where decision made could produce legal effects or significantly affects individuals,
(2) processing on a large scale SPECIAL categories of personal data’
(3) the systematic monitoring of a publicly accessible area on a large scale (CCTV) and potentially drones
(4) Processing on a large scale of personal data relating to CRIMINAL convictions and offences
(5) The use of NEW TECH systems and BIOMETRIC procedures.
Includes:
- responsibilities of controller and processor
- purpose
- means of processing
- name of dpo
- legitimate interests of controller
- an assessment of risks to rights’ and freedoms of indiv
- assessment of Data Minimisation
- use of new technologies
- safeguards, measure to address risks inc.
- security measures and mechanisms to protect personal data
if high risk not mitigated SA informed before processing
DPO ART 37-39
Q: DPO (must be available) does not need specific quals.
Q: APPOINTING A DPO MAKES THE GDPR CONSISTENT ACCROSS THE EU
DPO Tasks
the dpo is now a required position for only:
1 is a public authority (mandatory in public sector)
2 processor include regular and systematic monitoring of DS on a large scale (numbers or volume)
3 core processing includes large scale special categories / hospitals included but a indiv doctor not etc.
member state law is allowed to specify additional circumstances that must appoint a dpo
dpos are not personally responsible it is the controller or processor who has responsibility
multinationals can have a group wide DPO (must be available) does not need specific quals.
Promote awareness and understanding of data protection, including
risks, safeguards and rights
Handle complaints and carry out investigations
Support the consistent application of the Regulation internationally,
which includes working within the consistency mechanism, providing
mutual assistance and supporting the European Data Protection Board
(EDPB)
Monitor the development of information and communications
technologies and commercial practices
actions
- ensure compliance with regs
- advise the controller or processor
- manage risk
- point of contact with SA / cooperate with SA
- communicate with DS and SA
- advise on and monitor DPIAs
- Inform and advise the company and the employees of their obligations
- Monitor compliance with the Regulation and with company policies, including managing internal
data protection activities, training staff and conducting internal audits
QUESTION: APPOINTING A DPO MAKES THE GDPR CONSISTENT ACCROSS THE EU.
QUESTION if processing DS in EU by offering goods or services or monitoring behaviour that takes place in EU the controllers/processors have to designate a rep within the member states to whom processing applies.
Safe Harbour
CANARDS
Privacy Shield
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S.
Department of Commerce, and the European Commission and Swiss Administration,
respectively, to provide companies on both sides of the Atlantic with a mechanism
to comply with data protection requirements when transferring personal data from
the European Union and Switzerland to the United States
Thousands of organizations are Privacy Shield participants. These
organizations span industry sectors and sizes. While many large multinational
entities have self-certified
Considering the large volume of data transfers carried out between the EU and the United States, the U.S. Department of Commerce and the Commission originally developed the Safe Harbour mechanism as a self-regulatory framework.
Perceived weaknesses
- participants did not perform required annual compliance checks
- lack of active enforcement by the Federal Trade Commission (FTC)
Privacy Shield
Came into force in 2016
II. EU-U.S. Privacy Shield Principles
CANARDS
Choice
Accountability for Onward Transfer
Notice
Access
Recourse, Enforcement and Liability
Data Integrity and Purpose Limitation
Security
BCR = Binding Corporate Rules - ARTICLE 47
Safeguards for Cross Border Data Transfer
require approval from an SA
Appropriate safeguards include several mechanisms:
binding corporate rules (Article 47),
approved codes of conduct (Article 40)
Standard Contractual Clauses (Article 93)
“Cross-border processing” in the GDPR lingo means:
processing that takes place when the controller or the processor has establishments in more than one member state.
Appropriate safeguards
BCRs are designed to allow large multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company. If supervisory authorities sign off on those rules the company if considered free to transfer personal data within their organisation. Internal and legally binding rules.
must include
- structure and contacts of corporate group
- data or set of data transfers, inc:
- categories,
- type of processing,
- purpose
- identification of 3rd country or countries
- legally binding nature - internal and external
- application of GDPR data protection principles
- application of GDPR rights of DS
- any BCR breaches is responsibility of controller / processor on member state territory and not the member not in the union
- info on how BCR info (above points)is provided to the DS
- tasks of DPO or entity in charge of monitoring compliance with BCR
- complaint procedures
- mechanism for ensuring the verification of compliance with the binding corporate rules
-the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
- the cooperation mechanism with the supervisory authority to ensure compliance
- the mechanisms for reporting to the supervisory authority
- appropriate data protection training to relevant personnel
Derogations - derogations (last resort)
require approval from an SA
Used as a last resort when Safeguards are not in place and there is not an Adequacy decision
As exceptions, they are interpreted restrictively (so that the exceptions do not become the rule).
12.8.1 Consent
12.8.2 Contract performance
12.8.3 Substantial public interest
12.8.4 Legal claims
12.8.5 Vital interests
12.8.6 Public register
12.8.7 Not repetitive transfers
“Cross-border processing” in the GDPR lingo means:
processing that takes place when the controller or the processor has establishments in more than one member stat
Derogations
-the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject ;
the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
TIA appropriate safeguards - TIA - transfer impact assessment
Appropriate safeguards
The process of assessing data protection equivalence between third country and EU law is called TIA
TIA The term “Transfer Impact Assessment” or “TIA” The term has come to refer to a written analysis, conducted by a controller or a processor, of the impact that a transfer of personal data to a country outside of the EEA may have on the privacy afforded to the transferred data.
legal tools designed to ensure recipients of PI who are outside EEA are bound to continue to protect PI and facilitate international transfers
all require approval from an SA
- TIA - transfer impact assessment
The process of assessing data protection equivalence between third country and EU law is called TIA
Many orgs rely on:
- questionnaire
- technical, organisational and contractual safeguards
Enforcement remedies AND LIABILITIES AND PENALTIES
SA to impose an administrative fine pursuant to Article 83
Each supervisory authority shall ensure that the imposition of administrative fines
Article 83 - must be effective , proportionate and dissuasive
Generally, only the lead authority may take action against cross border data processing in the EU
29WP - fines and infringements
- number affected
- purpose of processing
- how org address purpose limitation
- damage suffered by DS
- duration of infringement
controllers and processors can have fines imposed on them by SA
FINES ISSUED BY SA
can also be liable for material or nonmaterial damage they cause to individuals compensation
two tier fining regime :
- Up to 20 million EUROS or 4% of turnover
data protection principles,
lawfulness of processing,
consent,
processing of special data
data subject rights,
international transfers,
failure to comply with the SAs’ investigatory and corrective powers. - Up to 10 million EUROS or 2% of turnover
data security breaches are in the 2% ( if you lose data)
child consent,
data protection by design and by default,
engagement of processors by controllers,
records of processing,
cooperation with regulators,
security, loss destruction
breach notification,
DPIAs
DPOs
codes of conduct and certifications
taking into account :
- the nature, gravity and damage suffered by DS
- nature, scope and purpose of processing
- no. of indiv concerned
- duration of the infringement
- degree of responsibility you have for infringement
- degree of cooperation with SA
- categories of personal data - e.g. sensitive
supervisory authorities - three categories of powers
QUESTION: SA’s have 3 months to respond to DS complaint before it goes to court
three categories of powers
Investigative
- can demand investigations in form of an audit or inspection of premises and processing equipment
- can order controller or processor to provide any information required for it’s tasks
- CAN NOTIFY OF GDPR INFRINGEMENT
Corrective powers
-issue warnings that processing operations are not complying with GDPR
- can issue reprimands that processing operations are not complying with GDPR
- can order controller or processor to comply with DS requests to exercise rights under gdpr
- can order controller or processor to communicate a breach with DS
- can order rectification/erasure of data or restriction of processing
- can withdraw CERTIFICATIONS
- CAN IMPOSE AN ADMINISTRATIVE FINE
- can order SUSPENSION of data flow to 3rd country
Authorization and Advisory
- advise controller
- can opine to parliament, member states or public on any issue related to PI
- can approve codes of conduct
- can approve BCR
- create their own SCC / model clauses
- can accredit and issue CERTIFICATIONS
- can adopt SCC
European Data Protection Board (EDPB)
replaced the Article 29 working party WP29
1995 Data Protection Directive 95/46/EU created Article 29 Working Party (Art. 29 WP) with regard to the Processing of Personal Data”
The EDPB stated that in its view companies should “document [the tia assessment] . the assessment might be requested by “competent SA
urgency procedure
a supervisory authority may request an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision. an urgent binding decision shall be adopted within two weeks by simple majority of the members of the Board.
Mutual assistance
Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manne
EDPB established by GDPR
- Independent European body
- The Board shall be represented by its Chair.
- The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.
- Where in a Member State more than one supervisory authority, a joint representative shall be appointed in accordance with that Member State’s law.
- The Commission shall designate a representative. The Chair of the Board shall communicate to the Commission the activities of the Board.
Tasks
- monitor and ensure the correct application of this Regulation
- advise the Commission on any issue related to the protection of personal data
- advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules;
- issue guidelines, recommendations and best practices on personal data breach
- issue guidelines, recommendations and best practices on binding corporate rules / pi data transfers
- draw up guidelines for supervisory authorities concerning the setting of administrative fines
- review the practical application of the guidelines, recommendations and best practices;
for establishing common procedures for reporting infringements of this Regulation
- encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks
- approve the criteria of certification
-maintain a public register of certification mechanisms and data protection seals and marks
- approve the requirements to the accreditation of certification bodies
- provide the Commission with an opinion on the certification requirements
- provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country
- issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism
- promote the cooperation / exchange of information between the supervisory authorities;
- promote common training programmes and facilitate personnel exchanges between the supervisory authorities
- promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.
- issue opinions on codes of conduct drawn up at Union level
- maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
Processing EMPLOYEE Personal Data
There is no requirement that the employee reside or be a citizen of the EU, just that the employee be in the EU.
he GDPR allows EU countries to enact additional requirements for processing HR data through national laws and collective agreements, and these laws can be stricter than the GDPR. France has laws that prohibit personal information from being transferred outside France. Germany passed a law with additional or stricter HR data processing requirements. In addition, many union collective bargaining agreements and works council agreements that cover employees cover additional or stricture requirements for processing employee data.
- EU law - Local data protection law - local employment law
under GDPR you have to show there is a lawful basis that allows you to collect and process
lawful basis for collecting:
- employee has given consent (difficult to prove balance of power)
- processing necessary to fulfil an employment contract such as bank account
- processing necessary for a legal obligation such as sharing salary for tax info
- legitimate interests of employer - migrating employee info from one system to another (can’t be special data and public authorities can’t rely on this reason)
Whistle blowing schemes
US Sarbanes OXLEY act - accounting and auditing type issues
US companies with EU subsidiaries are abound by US and EU data protection law
companies must have a system in place to receive anonymous complaints about potential wrongdoing including fraud, misappropriation of assets or material misstatements in financial reporting should be a company whistleblowing report
1) implementing policy with strong adherent to internal controls
2) encouraging those with knowledge of potential fraud to report
3) reiterating confidential nature and protection of whistle-blower
Reporting :
- transparency
- security and confidentiality
- in eu anonymous reporting is illegal as it may encourage malicious report under whistle blowing, ensure them it will be kept confidential
- data retention
- scope of report
- types of report (health and safety violations to discriminatory activities)
- data subjects - different rules on who can be reported some can be at least manager level etc.
- you have to tell individual that they have been reported but can take time to do investigation and they have access to report and to rectify -they have general right of access
- data transfers- reported in EU but stored outside EEA - data must be processed in accordance with EU DP law (model clauses or BCR)
- security of report / If using a vendor need to ensure security.
EU view - if report can’t be proven then the report should be deleted. 3-6 months
BYOD - bring your own device
use own personnel advices - smartphones, tablets and laptops
poses data protection compliance issues
greater risks including data breaches which under GDPR could result in fines and penalty’s as well as loss of trust and rep device venerable to being lost and misused
companies should ensure :
- know where data is stored and measure to keep secure
- ensure transfer of data to server is secure to avoid interceptions
- remote wiping / remote kill - to locate devices and remove data on demand
- provide notice of BYOD to employees explaining consequences of signing up to BYOD and outlining info the org will be able to access
Sandboxing - ringfences organisational information to specific area of phone so if you need to remote wipe / kill you wipe only that bit , personal information remains unaffected
BYOD policy explains use and responsibilities :
- explain to employees how they can use BYOD & responsibilities
- align with employment law and GDPR
- know where and be clear about where data is processed / stored and measures to keep it secure
- transfer of data from personal device to companies servers is secure to avoid interceptions
- protect PI data / protect organisational data such as intellectual property, financial data
- enable employee productivity
- migrate network risks
- consider how to manager personal data when person leaves company or when device is stolen or lost, consider tracking software
- outline the info the company can access
QUESTION: To secure corporate data that is downloaded to mobile devices three steps are required:
· Discover who is accessing cloud services and from which devices and apps
· Lock down the data in those apps and devices
· Monitor and analyse the apps and devices for compliance
