Connect with us

Science & Technology

GDPR Clock is Ticking for the US Companies as Well: Top 7 Tips to Get Ready

Published

on

General Data Protection Regulation is about to be applicable as from 25 May 2018. Its long-arm teritorrial reach brings obligations not only to EU establishements, but to US based companies as well. Global connection through internet especially underlines the likelihood of such broad application and it will impact US businesses.One of the prerequisits for safe transfer of data between the EU and US is already accomplished by the EU-US Privacy Shield agreement. The European Commission has considered this agreement as providing adequate guarantees for transfer of data. Under Privacy Shield scheme companies may self-certify and adhere to principles stated therein. Yet, there is still less then 3000 companies in the US participating in the Privacy Shield. But GDPR safeguards have still to be followed. Below, we shall look at some of the most profound aspects of compliance with GDPR for the US (non-EU) based companies.

Data protection officer

Although it is not obligatory pursuant the GDPR, it is advisable that a company appoints a data protection officer (‘DPO’) or designate that role to a specific position in the company. DPOcan also be externally appointed. There may be a single DPO for several companies or several persons designated with DPO role in one company. The position needs not necessarily to follow such a title, but it may be a privacy officer, compliance officer, etc. Such person should possess expert knowledge about the GDPR and data privacy, and may have legal, technical or similar background. GDPR was not specific as to requirements of that person, apart from possesing expert knowledge. Role of DPO is toinform, monitor, advise, the controller, processor or employees, to cooperate with supervisory authority, provide training of staff, help in performing data protection impact assesment.

Data Protection Impact Assesment

The further step that companies affected by the GDPR including US companies should do in order to evaluate the risk of data breach is to perform a data protection impact assesment (‘DPIA’). DPIA is a thorough overview of the processes of the company, and can be done with the help of data protection officer. It may include a form or a template with a series of questions, which have to be answered for each processing activity. DPIA has to be detailed and cover all operations in the company. The function of DPIA is to predict situations in which data breaches may occur, and which include processing of private data. DPIA should contain, pursuant to Article 35 of the GDPR, a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph, the measures envisaged to address the risks, including safeguards and security measures. DPIA is a very useful way of showing compliance and it is also a tool that would help to company at the first place, to have an overview of processing activities and an indication of where a breach could happen.

EU representative

A US company (non-EU based company) has to appoint an EU representative if its businessrelates to offering of goods or services to natural persons in the EU, including even free goods or services, or when processing is related to monitoring of behaviour of data subjects in the EU. Behaviour may include monitoring internet activity of data subjects in order to evaluate or predict her or his personal preferences, behaviors and attitudes. EU representative is not obligatory when the processing is occasional or does not include processing on a large scale of special categories of data such as genetic data, biometric data, data concerning health, ethnic origin, political opinions, etc. and when it is unlikely to result in a risk to the rights and freedoms of natural persons. However, given that the exceptions from the duty of designation of EU representative are pretty vague, in most cases companies whose operations are not neglectable towards persons in the EU would have to appoint a reprsentative. Location of such representative would be in one of the EU Member states where the data subjects are located. Representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation, and he/she is also liable and subject to enforcement in case of non-compliance.

Consent matters

GDPR is overwhelmed with one key word of respect the privacy:consent. If companies wish to process data of natural persons that are in the EU, they must first obtain consent to do that. Consent must be freely given, informed, specific and unambigous.

Freely givenconsent presupposes that data subject must not feel pressured, or urged to consent, or subjected to non-negotiable terms. Consent is not considered as freely given if the data subject has no genuine or free choice.Data subject must not feel reluctant to refuse consent fearing that such refusal will bring detrimental effect to him/her. If the consent is preformulated by the controller, which is usually the case, the language of the consent must be clear and plain and easily understandable for the data subject. Further, if there are several purposes for the processing of certain data, consent must be given for every purpose separately. Consent must be specific and not abstract or vague. Silence, pre-ticked boxes or inactivity is not to be considered as consent under GDPR.

Informed consent means that data subject must know what the consent is for. He/she must be informed about what the consent will bring and there must not be any unknown or undeterminedissues. It is a duty of controller to inform data subject about scope and purpose of consent, and such information must be in clear and plain language. But, one must be careful that, as today in the world of fast moving technologies we face overflow of consentsa person has to give in short period of time, there may be an occurrence of ‘click fatigue []1’, which would result in persons not reading the information about the consent and clicking routinely without any thorough thinking. So, the controllers would have to make, by their technical design, such form of a consent, that would make the person read and understand his or her consent. It could be a combination of yes and no questions, changing of place of ticking boxes, visually appealing text accompanying consent, etc.

Consent must be unambiguous, or clearly given. There must not be space for interpretation whether consent is given for certain purpose or not. As to the form of the consent, it may be by ticking a box, choosing technical settings and similar (Recital 32 GDPR).

Data subject gives his consent for the processing of his personal data. However, companies have to bear in mind that data concept in the EU is broadly understood, and that it includes all personally identifiable information (PII), ranging from obvious data such as name and postal address, to less obvious data, but still PII covered by GDPR, such as IP address [2]. On the other hand the IP address is not that clearly considered as PII in the US. In that regard, the protection in the US must be stricter, obliging US based companies to also apply broader EU standards.

Privacy by design implemented

Privacy by design is a concept which brings together the legal requirements and technical measures. It is a nice and smooth way of incorporating law into technical structure of business. Privacy by design, if applied properly at the outset, shall ensure the compliance with the GDPR requirements. It should point out to principles of data minimisation, where only data which is necesssary should be processed, storage limitation, which would provide for a periodic overview of storage and automatic erasure of data no longer necessary.

One of the ways of showing compliance through the privacy by design is ‘pseudonymisation’. Pseudonymization is, according to GDPR, referred to as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Such additional information must be kept separately, so that it cannot be connected to identified or identifiable natural person.Pseudonymisation is not anonymisation and should not be mixed with it. Anonymisation is a technique which results in irreversible deidentification, and since it completely disables identification it is not subject of data protection under GDPR. Pseudonymisation only reduces the likability of a dataset with the original identity of a data subject, and is accordingly a useful security measure [3].

Binding corporate rules

Binding corporate rules (‘BCR’) include set of principles, procedures andpersonal data protection policies as well as a binding clause adopted by the company and approved by competent supervisory authority. Adopting binding corporate rules is not a simple process but means being on a safe track. It is one of the safeguards envisaged by the GDPR. BCR should include according to Article 47 of the GDPR, the structure and contact details of company, categories of personal data, the type of processing and its purposes, application of general data protection principles (such as purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, ..), rights of data subjects, the tasks of data protection officer, complaint procedures, mechanisms for reporting to the competent supervisory authority, appropriate data protection training to personnel, indication that BCR are legally binding. BCR should additionally be accompanied with privacy policies, guidelines for employees, data protection audit plan, examples of the training program, description of the internal complaint system, security policy, certification process to make sure that all new IT applications processing data are compliant with BCR, job description of data protection officers or other persons in charge of data protection in the company.

Make your compliance visible

Well, if your company has performed all of the above, it has to make it visible. Companies, that are covered with the GDPR, not only do they have to comply, they have to show that they comply. GDPR puts an obligation on controllers to demonstrate their compliance.

From the first contact with the controller, the website must give the impression of compliance. BCR, privacy policies,DPO contact details must be visible in order that data subject may address him in case of data risk or breach. EU representative’s name and contact must be put forward in order to be accessible by the supervisory authority in the EU. Contact form for data subjects with options for access, right to object, erasure, rectification, restriction, should be there.Organisational chart of the company, flow of data transfer demonstrated by data flow mapp.These are only some of the most imporant features that have to be followed.

Non-compliance is a very costly adventure. The adventure that businesses will try to avoid. With systematic planning and duly analysing the necessity of compliance with GDPR, and with clearly defined processes, US companies can put many benefits for the business and attract and encourage data subjects in the EU to freely entrust their datato them. This is a thorough process, but worth accomplishing.

[1] Article 29 Working Party Guidelines on consent,p. 17

[2] According to judgment of the Court of Justice of the EU of 19 October 2016,in case C 582/14,

[3] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques adopted on 10 April 2014 p. 3

Continue Reading
Comments

Science & Technology

Cybersecurity depends on the user

Published

on

Businesses and pharmaceutical companies have become prime targets for cyber criminals. For many employees switching to work from home has made them more vulnerable to cyber attacks. Amid the continuing coronavirus pandemic the focus is shifting on digital hygiene and training. These are top issues outlined by the participants of a round table which  took place at TASS Press Center under the title “Cybersecurity: new threats and protection against them”.

At present, a large number of high-tech medical equipment is connected to the Internet. Given that medical institutions are not used to new threats, they often fall prey to cyber criminals. At times, hospitals have to pay ransom in order to restart the equipment vital for patients’ lives.  The participants in the round table cited yet more tragic cases when the ambulance equipment glitch forced the driver to head for other hospitals, which means that patients in critical condition may not make it there.

Cyber threats have been haunting not only the  medical industry. President of Check Point Software Technologies in Russia and CIS Vasily Diaghilev has singled out 3 key challenges in the new reality. Firstly, the decision-taking time limit has shortened considerably, — the market proved unprepared for this (unlike in the past, when months were given to elaborate decisions on cyber security, now a mere days are given to do so). Secondly, the criminal groups which had to go online as well, were provided with new financing to “work” in the cyber sphere. Thirdly, user vulnerability went up due to a wide variety of hacking methods.

Alexei Novikov, Director of Security at Positive Technologies, disagrees with such a view. The transition to online work has increased the number of vulnerabilities making it possible for the criminals to find new loops. Hence cyber security has come to depend on the competence of particular individuals. Earlier, information security was guaranteed “along the perimeter of corporate network”. Now, when practically everyone is working from home, family members have got access to the data too. In  addition, employees often connect  their  personal “smart devices” of the  Internet of  things to their corporate networks.

Experts who took part in the round table provided specific recommendations as to how to boost digital security. Founder and General Director of Zecurion Alexei Raevsky warned companies which are not supposed to store loads of data against doing so. Alexei Raevsky described all the data (for example, for electronic passes), which they collect on a regular basis in the conditions of a quarantine, as a “time bomb”. Vasily Diaghilev has urged individuals to refrain from using (and called on companies to impose restrictions on this practice on a mandatory basis) corporate passwords on external servers, in addition, he recommended coding corporate data, and in order to secure protection against destructive files, he advises to switch to the safe pdf-format in paperwork. “Info security should enter mass market as a taxi – a kind of digital security outsourcing”, — Lev Matveev, Chairman of the Board of “SearchInfoorm”, member of the Association of Software Manufacturers “Russoft”, says. Besides, he recommended including VPN-apps and services into public (free) WiFi-networks.

From our partner International Affairs

Continue Reading

Science & Technology

Top 10 Emerging Technologies to Watch in 2020

Published

on

From virtual patients to pain-free needles, synthesizing whole-genomes, and digital medicine, these top 10 emerging technologies are transforming our post-COVID-19 lives. An international steering group of experts singled out these and other emerging technologies as the ones most likely to impact the world in the next three to five years.

For example, a Swiss group was able to synthesize the entire COVID-19 genome by reproducing the genetic sequence uploaded by Chinese scientists. They were essentially teleporting the virus into their laboratory for study without waiting for physical samples. The ability to write our genome will inevitably help doctors to cure genetic diseases.

As we now move to clinical trials of a COVID-19 vaccine, virtual patients, instead of living humans, could help identify successful vaccine candidates, reduce costs, and speed up research. It would also prevent the testing of imperfect vaccine candidates on living volunteers.

While the outbreak unfolded, dozens of medical apps and bots were developed, expanding the digital medicine landscape. These apps could detect depression and provided counselling. Bots answered over 200 million inquiries about COVID symptoms and treatments. COVID-19 will continue to shape our lives, and these emerging technologies could fill the gaps created by the pandemic.

The list also includes new technologies that can help combat climate change by tackling major polluting industries. These new green technologies include innovative planes, new concrete formulations and using sunlight to power refineries.

Top 10 technologies to make the list are:

Virtual Patients

Virtual patients, instead of living humans, could make vaccine trials quicker and inexpensive. This technology would significantly reduce the number of human subjects needed for experimentation.

Microneedles for Painless Injections and Tests

These tiny needles promise pain-free injections and blood testing. Microneedles do not touch nerve endings. Since the process does not need costly equipment or a lot of training, they can be used in areas that do not normally receive cutting-edge medical technologies.

Whole-Genome Synthesis

Whole-genome synthesizing will transform cell engineering. The ability to write our genome will inevitably help doctors to cure genetic diseases.

Digital Medicine

Digital medicine is a collection of apps that detect and monitor the mental and physical health of patients. These apps and bots can enhance traditional medicine and provide support to patients with limited access to healthcare.

Electric Aviation

Electric propulsion motors would eliminate direct carbon emissions. This technology could also reduce fuel costs by up to 90%, maintenance by up to 50% and noise by nearly 70%. Currently, about 170 electric airplane projects are underway.

Lower-Carbon Cement

Concrete, the most widely used human-made material, shapes much of our built world. If cement production were a country, it would be the third-largest emitter after China and the US. Researchers are working on lower-carbon approaches by changing the recipe, using different materials, and using carbon capture and storage technologies.

Sun-Powered Chemistry

This approach uses sunlight to convert carbon dioxide waste into needed chemicals manufactured from fossil fuel. This approach could reduce emissions in two ways – by using unwanted gas as raw material and using sunlight as the source of energy instead of fossil fuels.

Green Hydrogen

Current methods of producing hydrogen are not environmentally efficient. Green hydrogen, produced through electrolysis, has no by-product, unlike current processes. Green hydrogen could transform industries that require high-energy fuel.

Spatial Computing

“Spatial computing” will bring together raise reality apps and sensors to facilitate human-machine and machine-machine interactions to a new level. It combines these capabilities and controls objects’ movements and interactions, allowing a person to navigate the digital and physical world.

Quantum Sensing

Quantum sensors enable autonomous vehicles that can “see” around corners, underwater navigation systems, early-warning systems for volcanic activity and earthquakes, and portable scanners that monitor a person’s brain activity during daily life.

Continue Reading

Science & Technology

Can ‘Open Science’ speed up the search for a COVID-19 vaccine? 5 things you need to know

Published

on

The UN is calling for authoritative scientific information and research to be made freely available, to accelerate research into an effective vaccine against the COVID-19 virus, help counter misinformation, and “unlock the full potential of science”.

Arguing that no-one is safe until everyone is safe, the World Health Organization (WHO) has, for several months, been urging countries and scientists to collaborate, in a bid to bring the pandemic under control. This has involved the creation, alongside governments, scientists, foundations, the private sector and other partners, of a groundbreaking platform to accelerate the development of tests, treatments and vaccines.

In October, the head of the agency, Tedros Ghebreyesus Adhanom, alongside human rights chief Michelle Bachelet, and Audrey Azoulay, Director-General of science, culture and education agency UNESCO, issued a call for “Open Science”, describing it as a “fundamental matter of human rights”, and arguing for cutting-edge technologies and discoveries to be available for those who need them most.

But what exactly does Open Science mean, and why does the UN insist on making it more widespread?

1) What is ‘Open Science’?

Open Science has been described as a growing movement aimed at making the scientific process more transparent and inclusive by making scientific knowledge, methods, data and evidence freely available and accessible for everyone.

The Open Science movement has emerged from the scientific community and has rapidly spread across nations. Investors, entrepreneurs, policy makers and citizens are joining this call.

However, the agency also warns that, in the fragmented scientific and policy environment, a global understanding of the meaning, opportunities and challenges of Open Science is still missing.

2) Why is Open Science important?

Open Science facilitates scientific collaboration and the sharing of information for the benefit of science and society, creating more and better scientific knowledge, and spreading it to the wider population.

UNESCO has described Open Science as a “true game changer”: by making information widely available, more people can benefit from scientific and technological innovation.

3) Why is it needed now?

Because, in a world that is more inter-connected than ever before, many of today’s challenges do not respect political or geographic borders, and strong international scientific collaboration is essential to overcome the problems. The COVID-19 pandemic is a prime example.

We also have the tools to make it happen: with digitalization becoming ever more widespread, it is far easier than ever before to share scientific knowledge and data, which are needed to enable decisions that can lead to overcoming global challenges to be based on reliable evidence.

4) What is the impact of Open Science on the pandemic?

In this global health emergency, thanks to international collaboration, scientists have improved their understanding of the coronavirus with unprecedented speed and openness, embracing the principles of Open Science. Journals, universities, private labs, and data repositories have joined the movement, allowing open access to data and information: some 115,000 publications have released information related to the virus and the pandemic, and more than 80 per cent of them can be viewed, for free, by the general public.

Early in the pandemic, for example, Chinese scientists readily shared the genome of the virus, jumpstarting all following research into the virus, and the diagnostic testing, treatments, and vaccines that have since been developed.

Finally, the crisis has underlined the urgent need to bring science closer to decision making and to society as a whole. Fighting misinformation and promoting evidence-based decision-making, supported by well-informed citizens, has proven to be of vital importance in the fight against COVID 19.

5) What is the UN doing to promote Open Science?

To ensure that Open Science truly meets its potential, and benefits both developed and developing countries, UNESCO is taking the lead in building a global consensus on values and principles for Open Science that are relevant for every scientists and every person independently of their place of origin, gender, age or economic and social background.

The future UNESCO Recommendation on Open Science is expected to be the international instrument to set the right and just standards for Open Science globally, which fulfil the human right to science and leave no one behind.  

In a statement released on World Science Day for Peace and Development, celebrated on 10 November, Ms. Azoulay said that widening the scope of Open Science will help science to “unlock its full potential”, making it more effective and diverse by “enabling anyone to contribute, but also to bring its objectives in line with the needs of society, by developing scientific literacy in an informed citizenry who take responsibility and are involved in collective decision-making”.

Continue Reading

Publications

Latest

Middle East2 hours ago

Iranian media and Nagorno-Karabakh Conflict

Freedom of the press and the Media are both considered the fundamental pillars of Democracy across the globe.  However, some...

Africa Today4 hours ago

Kenya’s GDP Contracts Under Weight of COVID-19, Impacting Lives and Livelihoods

The latest World Bank economic analysis for Kenya projects the economy to contract by between 1.0 percent and 1.5 percent...

Finance6 hours ago

The future of work: promoting gender equality, diversity and inclusion

The United Nations Industrial Development Organization (UNIDO) and the Vienna Regional Office of the International Organization for Migration  (IOM) have...

EU Politics8 hours ago

EU-Australia Leaders’ Virtual Meeting

The President of the European Council, Charles Michel, the President of the European Commission, Ursula von der Leyen, and the...

Intelligence10 hours ago

National Security of PakistanPost 9/11: A Critical Review

Pakistan’s troublesome decades preceding the millennium mark all boiled down to significant events of the morning of September 11, 2001,...

Environment12 hours ago

Crop Certification: Going green unlocks global markets for farmers

Over the last 30 years, more and more tea, coffee and cocoa farmers have embraced towards climate-smart and sustainable practices...

Southeast Asia14 hours ago

Cambodia’s Hun Sen, Asia’s longest-serving PM, continues to quell the Opposition

For the past 35 years, the former French colony of Cambodia is ruled by the 68-year-old Prime Minister Hun Sen,...

Trending