Data, Data, Everywhere! In Data We Trust

 

Peter Glantz

The Lawyer’s Desk–By Peter Glantz, Esq.

“Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules – not just for governments, but for private companies.” Bill Gates.

On May 25, a new data protection regulation titled General Data Protection Regulation, Regulation (EU) 2016/689, will come into force in the European Union and its 28 member states. The GDPR provides significant new data privacy protections for individuals, with corresponding requirements that must be implemented by organizations, regardless of location, that control or process the personal data of individuals located in the EU.

What are the requirements of the GDPR?

The GDPR applies to the collection and processing of personal data in connection with an automated process or part of a manual filing system (both direct and indirect personal data, including name, location and online identifier). Under the regulations, an organization needs a lawful basis to process personal data and is required to satisfy additional requirements to process “special data” which, among other categories, includes race, ethnic origin, religion, politics and sexual orientation.

The GDPR imposes far-reaching requirements on “data controllers” (organizations that determine the purpose and means of processing personal data) and “data processors” (third parties who process data on behalf of controllers) within the EU, as well as organizations located outside the EU if the organizations: (1) offer goods and services to persons in the EU; or (2) monitor behavior of individuals in the EU.

Mere website accessibility by persons in the EU is likely insufficient to establish intent to offer goods and services to persons in the EU or its individual member states.

To ensure compliance with the GDPR, organizations must, inter alia, institute appropriate technical and organizational measures to implement data protection principles. In addition, organizations should appoint a data protection officer, such as an employee or external consultant who has “expert knowledge of data protection law and practices” that must “directly report to the highest management level,” and implement policies consistent with the GDPR for: (1) processing personal data; (2) deleting data when there is no longer a need for it; (3) document retention; (4) responding to data breaches; (5) disclosing personal data; (6) training employees about privacy; (7) maintaining an up-to-date privacy policy and terms and conditions; (8) reviewing of encryption software; and (9) performing regular compliance policy reviews and/or audits.

Data controllers are required to have a written contract with data processors to ensure organizational and technical compliance with the GDPR. The GDPR sets forth what needs to be included in these agreements. The GDPR also provides detailed restrictions on the cross-border transfer of personal data, which will have significant implications insofar as United States civil litigation discovery requests are concerned.

The GDPR also requires data controllers to self-report security breaches to regulators within 72 hours of the subject breach with some exceptions.

To avoid GDPR liability, organizations should, among other things, establish and implement policies and procedures regarding their protection and handling of the data of individuals that they control/obtain, conduct staff training, hire DPOs, and establish breach response protocols. These measures can help identify, prevent, and reduce regulatory and/or legal liability.

Companies should review all contracts with business partners to ensure compliance with the GDPR and review insurance policies to make sure that GDPR-related coverage is in place. In addition, organizations should keep records of GDPR organizational and technical measures that have been implemented. This will be useful in the event of an audit by a supervisory authority.

This article is written by a member of the Oxman Law Group, PLLC (www.oxmanlaw.com). Any comments or inquiries are welcome and can be directed to Marc Oxman at 914-422-3900 or moxman@oxmanlaw.com.

- Advertisement -
- Advertisement -

Hot this week

Yonkers City Council Votes 4-3 to Change Term Limits to 4 Terms-16 Years

"I wanted to find the best way to represent...

YPIE Connects Yonkers Students with Mentors During “March Matchness”

YPIE welcomed more than 100 new Graduation Coaches, who...

Improving Your Psychological Well-being: A How-to Guide

Photo from Pixabay.com Understanding and enhancing psychological well-being is...

Eastchester Middle School Welcomes Holocaust Survivor Hanne Holsten

Eastchester Middle School welcomed a very special visitor, as...
- Advertisement -
- Advertisement -

How Do You Find Reliable Door Automation Companies?

Automatic doors play an important role in commercial buildings,...

PUTNAM COUNTY SHERIFF’S OFFICE INVESTIGATING CRIMINAL MISCHIEF TO SYBIL LUDINGTON STATUE

The Putnam County Sheriff’s Office is investigating an incident...

Why Ignoring Garage Door Issues Can Cost You More

A garage door is one of the most used...

Thousands Enjoy Ukrainian Heritage Festival in Yonkers

From State Senator Shelley Mayer: I had a wonderful...

Why and When Should You Take Help From Plumbing Maintenance Services

Plumbing systems play a major role in keeping every...

New York Yankees Odds: What Could Shape the Second Half

Photo from Unsplash.com Few teams enter the second half...

Related Articles

Popular Categories