Connect with us

Tech

GDPR Clock is Ticking for the US Companies as Well: Top 7 Tips to Get Ready

Jasna Čošabić, PhD

Published

on

General Data Protection Regulation is about to be applicable as from 25 May 2018. Its long-arm teritorrial reach brings obligations not only to EU establishements, but to US based companies as well. Global connection through internet especially underlines the likelihood of such broad application and it will impact US businesses.One of the prerequisits for safe transfer of data between the EU and US is already accomplished by the EU-US Privacy Shield agreement. The European Commission has considered this agreement as providing adequate guarantees for transfer of data. Under Privacy Shield scheme companies may self-certify and adhere to principles stated therein. Yet, there is still less then 3000 companies in the US participating in the Privacy Shield. But GDPR safeguards have still to be followed. Below, we shall look at some of the most profound aspects of compliance with GDPR for the US (non-EU) based companies.

Data protection officer

Although it is not obligatory pursuant the GDPR, it is advisable that a company appoints a data protection officer (‘DPO’) or designate that role to a specific position in the company. DPOcan also be externally appointed. There may be a single DPO for several companies or several persons designated with DPO role in one company. The position needs not necessarily to follow such a title, but it may be a privacy officer, compliance officer, etc. Such person should possess expert knowledge about the GDPR and data privacy, and may have legal, technical or similar background. GDPR was not specific as to requirements of that person, apart from possesing expert knowledge. Role of DPO is toinform, monitor, advise, the controller, processor or employees, to cooperate with supervisory authority, provide training of staff, help in performing data protection impact assesment.

Data Protection Impact Assesment

The further step that companies affected by the GDPR including US companies should do in order to evaluate the risk of data breach is to perform a data protection impact assesment (‘DPIA’). DPIA is a thorough overview of the processes of the company, and can be done with the help of data protection officer. It may include a form or a template with a series of questions, which have to be answered for each processing activity. DPIA has to be detailed and cover all operations in the company. The function of DPIA is to predict situations in which data breaches may occur, and which include processing of private data. DPIA should contain, pursuant to Article 35 of the GDPR, a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph, the measures envisaged to address the risks, including safeguards and security measures. DPIA is a very useful way of showing compliance and it is also a tool that would help to company at the first place, to have an overview of processing activities and an indication of where a breach could happen.

EU representative

A US company (non-EU based company) has to appoint an EU representative if its businessrelates to offering of goods or services to natural persons in the EU, including even free goods or services, or when processing is related to monitoring of behaviour of data subjects in the EU. Behaviour may include monitoring internet activity of data subjects in order to evaluate or predict her or his personal preferences, behaviors and attitudes. EU representative is not obligatory when the processing is occasional or does not include processing on a large scale of special categories of data such as genetic data, biometric data, data concerning health, ethnic origin, political opinions, etc. and when it is unlikely to result in a risk to the rights and freedoms of natural persons. However, given that the exceptions from the duty of designation of EU representative are pretty vague, in most cases companies whose operations are not neglectable towards persons in the EU would have to appoint a reprsentative. Location of such representative would be in one of the EU Member states where the data subjects are located. Representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation, and he/she is also liable and subject to enforcement in case of non-compliance.

Consent matters

GDPR is overwhelmed with one key word of respect the privacy:consent. If companies wish to process data of natural persons that are in the EU, they must first obtain consent to do that. Consent must be freely given, informed, specific and unambigous.

Freely givenconsent presupposes that data subject must not feel pressured, or urged to consent, or subjected to non-negotiable terms. Consent is not considered as freely given if the data subject has no genuine or free choice.Data subject must not feel reluctant to refuse consent fearing that such refusal will bring detrimental effect to him/her. If the consent is preformulated by the controller, which is usually the case, the language of the consent must be clear and plain and easily understandable for the data subject. Further, if there are several purposes for the processing of certain data, consent must be given for every purpose separately. Consent must be specific and not abstract or vague. Silence, pre-ticked boxes or inactivity is not to be considered as consent under GDPR.

Informed consent means that data subject must know what the consent is for. He/she must be informed about what the consent will bring and there must not be any unknown or undeterminedissues. It is a duty of controller to inform data subject about scope and purpose of consent, and such information must be in clear and plain language. But, one must be careful that, as today in the world of fast moving technologies we face overflow of consentsa person has to give in short period of time, there may be an occurrence of ‘click fatigue []1’, which would result in persons not reading the information about the consent and clicking routinely without any thorough thinking. So, the controllers would have to make, by their technical design, such form of a consent, that would make the person read and understand his or her consent. It could be a combination of yes and no questions, changing of place of ticking boxes, visually appealing text accompanying consent, etc.

Consent must be unambiguous, or clearly given. There must not be space for interpretation whether consent is given for certain purpose or not. As to the form of the consent, it may be by ticking a box, choosing technical settings and similar (Recital 32 GDPR).

Data subject gives his consent for the processing of his personal data. However, companies have to bear in mind that data concept in the EU is broadly understood, and that it includes all personally identifiable information (PII), ranging from obvious data such as name and postal address, to less obvious data, but still PII covered by GDPR, such as IP address [2]. On the other hand the IP address is not that clearly considered as PII in the US. In that regard, the protection in the US must be stricter, obliging US based companies to also apply broader EU standards.

Privacy by design implemented

Privacy by design is a concept which brings together the legal requirements and technical measures. It is a nice and smooth way of incorporating law into technical structure of business. Privacy by design, if applied properly at the outset, shall ensure the compliance with the GDPR requirements. It should point out to principles of data minimisation, where only data which is necesssary should be processed, storage limitation, which would provide for a periodic overview of storage and automatic erasure of data no longer necessary.

One of the ways of showing compliance through the privacy by design is ‘pseudonymisation’. Pseudonymization is, according to GDPR, referred to as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Such additional information must be kept separately, so that it cannot be connected to identified or identifiable natural person.Pseudonymisation is not anonymisation and should not be mixed with it. Anonymisation is a technique which results in irreversible deidentification, and since it completely disables identification it is not subject of data protection under GDPR. Pseudonymisation only reduces the likability of a dataset with the original identity of a data subject, and is accordingly a useful security measure [3].

Binding corporate rules

Binding corporate rules (‘BCR’) include set of principles, procedures andpersonal data protection policies as well as a binding clause adopted by the company and approved by competent supervisory authority. Adopting binding corporate rules is not a simple process but means being on a safe track. It is one of the safeguards envisaged by the GDPR. BCR should include according to Article 47 of the GDPR, the structure and contact details of company, categories of personal data, the type of processing and its purposes, application of general data protection principles (such as purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, ..), rights of data subjects, the tasks of data protection officer, complaint procedures, mechanisms for reporting to the competent supervisory authority, appropriate data protection training to personnel, indication that BCR are legally binding. BCR should additionally be accompanied with privacy policies, guidelines for employees, data protection audit plan, examples of the training program, description of the internal complaint system, security policy, certification process to make sure that all new IT applications processing data are compliant with BCR, job description of data protection officers or other persons in charge of data protection in the company.

Make your compliance visible

Well, if your company has performed all of the above, it has to make it visible. Companies, that are covered with the GDPR, not only do they have to comply, they have to show that they comply. GDPR puts an obligation on controllers to demonstrate their compliance.

From the first contact with the controller, the website must give the impression of compliance. BCR, privacy policies,DPO contact details must be visible in order that data subject may address him in case of data risk or breach. EU representative’s name and contact must be put forward in order to be accessible by the supervisory authority in the EU. Contact form for data subjects with options for access, right to object, erasure, rectification, restriction, should be there.Organisational chart of the company, flow of data transfer demonstrated by data flow mapp.These are only some of the most imporant features that have to be followed.

Non-compliance is a very costly adventure. The adventure that businesses will try to avoid. With systematic planning and duly analysing the necessity of compliance with GDPR, and with clearly defined processes, US companies can put many benefits for the business and attract and encourage data subjects in the EU to freely entrust their datato them. This is a thorough process, but worth accomplishing.

[1] Article 29 Working Party Guidelines on consent,p. 17

[2] According to judgment of the Court of Justice of the EU of 19 October 2016,in case C 582/14,

[3] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques adopted on 10 April 2014 p. 3

Continue Reading
Comments

Tech

Our Shared Digital Future

MD Staff

Published

on

Building a digital economy and society that is trusted, inclusive and sustainable requires urgent attention in six priority areas according to a new report, Our Shared Digital Future, published by the World Economic Forum today.

The report represents a collaborative effort by business, government and civil society leaders, experts and practitioners. It follows an 18-month dialogue aimed at restoring the internet’s capacity for delivering positive social and economic development.

The report comes at a historic moment on the day when, for the first time, more than one-half of the world’s population is now connected to the internet. At the same time, less than one-half of those already online trust that technology will make their lives better.

With 60% of the global economy forecast to be digitized by 2022, there remains huge potential for the Fourth Industrial Revolution to lift more people out of poverty and strengthen societies and communities. However, success depends on effective collaboration between all stakeholder groups. The authors, in addition to unveiling six key areas for action, also highlight several existing efforts at global and local levels where collaboration is helping to restore trust and deliver broad-based societal benefits.

The six priority areas for multistakeholder collaboration are:

Internet access and adoption

Internet access growth has slowed from 19% in 2007 to 6% in 2017. At the same time, we have reached the milestone of 50% of the world’s population being connected to the internet. To close the digital divide, more investment is needed to not only provide access, but also improve adoption.

Good digital identity

By 2020, the average internet user will have more than 200 online accounts and by 2022, 150 million people are forecast to have blockchain-based digital identities. However, 1 billion people currently lack a formal identity, which excludes them from the growing digital economy. Good digital identity solutions are key to addressing this divide, empowering individuals, and protecting their rights in society.

Positive impact on society

By 2022, an estimated 60% of global GDP will be digitized. In 2018, companies are expected to spend more than $1.2 trillion on digital transformation efforts. Yet, only 45% of the world’s population feel that technology will improve their lives. Companies need to navigate digital disruption and develop new responsible business models and practices.

Cybersecurity

Cyberattacks result in annual losses of up to $400 billion to the global economy. More than 4.5 billion records were compromised by malicious actors in the first half of 2018, up from 2.7 billion records for the whole of 2017. A safe and secure digital environment requires global norms and practices to mitigate cyber-risks.

Governance of the Fourth Industrial Revolution

Policy-makers and traditional governance models are being challenged by the sheer magnitude and speed of the technological changes of the Fourth Industrial Revolution. Developing new and participatory governance mechanisms to complement traditional policy and regulation is essential to ensure widespread benefits, close the digital divide and address the global nature of these developments.

Data

The amount of data that keeps the digital economy flowing is growing exponentially. By 2020, there will be more than 20 billion connected devices globally. Yet there is no consensus on whether data is a type of new currency for companies to trade or a common public good that needs stricter rules and protection. The digital economy and society must bridge this gap by developing innovations that allow society to benefit from data while protecting privacy, innovation and criminal justice.

“The digital environment is like our natural environment,” said Derek O’Halloran, Head, Future of Digital Economy and Society, the World Economic Forum. “We all – governments, businesses, individuals – have a duty to ensure it remains clean, safe and healthy. This paper marks a step forward in offering a blueprint for a better internet we can all work towards: One that is inclusive, trustworthy and sustainable.”

The report is part of ongoing work by the World Economic Forum to provide a platform to accelerate, amplify or catalyse collaborative efforts from business, government, academia and civil society to advance progress towards an inclusive, trustworthy and sustainable digital economy. The report provides an overview of key issues for the digital economy and society, establishes priorities for multistakeholder collaboration for the year ahead, and highlights existing key initiatives and resources.

“Our existing institutions, mechanisms and models are struggling to effectively respond to the pace of digital change and its distributed nature. This report identifies critical areas of focus for public-private partnerships to help restore trust in an inclusive and prosperous digital future,” said Jim Smith, Chief Executive Officer, Thomson Reuters and Co-Chair, World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society.

“While recognizing that digital developments fuel many opportunities in political, commercial and social spheres, a key point of this paper is the need to focus on inclusion and addressing digital divides; only through incorporating more voices and views – in the development of political and commercial policies – will we be able to create a society that truly benefits all,” said Lynn St. Amour, Chair of the UN Internet Governance Forum (IGF)’s Multistakeholder Advisory Group, and Co-Chair, World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society.

Continue Reading

Tech

Internet milestone reached: More than 50 per cent go online

MD Staff

Published

on

For the first time, more than half of the world’s population of nearly 8 billion will be using the internet by the end of 2018, the United Nations telecommunications agency announced on Friday.

International Telecommunication Union (ITU) global and regional estimates for 2018 are “a pointer to the great strides the world is making towards building a more inclusive global information society,” Houlin Zhao, ITU Secretary-General, said.

The record figure of 3.9 billion people, or 51.2 per cent that will be online by the end of December, is an important milestone in the digital revolution, according to the ITU. The agency insists that this increased connectivity will help promote sustainable development everywhere.

The latest figures also spotlight Africa, which shows the strongest rate of growth in internet access, from around two per cent in 2005, to more than 24 per cent of the African population this year.

Europe and the Americas are the regions with the slowest growth rates, though the current figures show that 79.6 per cent and 69.6 per cent are online, respectively.

Overall, said the ITU, “in developed countries, slow and steady growth increased the percentage of population using the Internet, from 51.3 per cent in 2005 to 80.9 per cent in 2018.”

Despite this progress, ITU has warned that a lot of communities worldwide, still do not use the internet, particularly women and girls. The statistics show older people also disproportionately remain offline, as do those with disabilities, indigenous populations and some people living in the world’s poorest places.

In a bid to reduce inequalities, the agency is calling on more infrastructure investment from the public and private sectors, and to focus on ensuring that access remains affordable for all.

“We must encourage more investment from the public and private sectors and create a good environment to attract investments, and support technology and business innovation so that the digital revolution leaves no one offline,” said Mr. Zhao.

Continue Reading

Tech

Utilizing Artificial Intelligence for Environmental Sustainability

Published

on

The improvement in human development is becoming vividly contingent on the surrounding natural environment, and may be confined by its future deterioration as a response to the negative stimulus. Man-made problems like increasing population, urbanization and industrialisation, of which our mother earth is a victim in this century, have forced society to consider whether human beings are changing the very conditions essential to life on Earth. Antediluvian technologies have played a very meager role in the planning, prediction, supervision and control of environmental processes at different scales and within various time spans. An effective environment protection policy is largely dependent on the quality of information available and the utility of contemporary technologies like Artificial intelligence (AI), deep learning and data analytics that can be used to take an appropriate decision at an appropriate time. This convergence can help AI move from in vitro (in research labs) to in vivo (in everyday lives).

The global environment is in a bad shape. Natural disasters around the world are happening at an alarming rate, we have witnessed earthquakes, wildfires and cyclones that cause mass flooding and property damage. Around twenty per cent of species currently face extinction, and that number could rise to 50 per cent by 2100. And even if all the world economies keep their Paris climate pledges, by 2100, it’s predicted that average global temperatures will be 3˚C higher than in pre-industrial times, making it an invincible environmental catastrophe. There are reports which suggest that the recent fire break in California, United States of America and the floods in Kerala, India could have been mitigated effectively with proper supervision and planning. Here comes the role of AI.AI is considered to be the most dynamic game-changer in the global economy. According to a World Economic Forum report, Harnessing Artificial Intelligence for the Earth, AI refers to computer systems that “can sense their environment, think, learn, and act in response to what they perceive and their programmed purposes.” AI has helped environment researchers clinch almost 90 per cent accuracy in spotting climate change factors like tropical cyclones, weather fronts, tidal changes and atmospheric rivers, which can cause heavy precipitation and are often impossible for humans to identify on their own.  In India, AI has helped farmers get 30 per cent higher yields per hectare by providing information on preparing the land, applying fertilizer and choosing sowing dates, as reported by the Government of India in 2018. In Norway, AI has penetrated into the field of policy-making and helped create a flexible and autonomous electric grid, integrating more renewable energy.

The long list of technology and economy shapers, who believe that artificial intelligence, often encompassing machine learning and deep learning, is a “game changer” for climate change and environmental issues, includes Microsoft, Google, IBM and Tesla among others. Microsoft’s AI for Earth program has committed $50 million over five years to develop and test novel tech-applications for AI. In China, IBM’ Green Horizon project is utilizing an AI system that can forecast air pollution, track pollution sources and develop potential strategies and solutions to tackle it. For instance, data analysis can be used to determine whether it would be more effective to restrict carbon output close certain power plants in order to reduce pollution in a particular zone. The Ocean Data Alliance is developing a machine learning system to provide data from satellites and ocean exploration so that decision-makers can monitor shipping, ocean mining, fishing, coral bleaching or the outbreak of a marine disease. Modern technologies like artificial intelligence, geographic information system tools and movement detectors, are revamping the way wildlife reserves and conservation bodies are working across India.AI can also help prophesy the spread of invasive materials, keep a track of marine litter and measure water pollution levels. The 21st century is the age of data, with accuracy as the key, decision-makers and authorities will be able to respond to problems more quickly with real-time data. Considering the global evolution of AI and its application, it is evidentially predicted that by 2030, AI will add up to USD 15.7 trillion of the global economy which is more than the present output of China and India combined.  The United Nations recognize that AI has the potential to accelerate progress towards a dignified life, in peace and prosperity, for all people. The UN Artificial Intelligence Summit held in Geneva (2017) suggested refocusing the use of this technology, on achieving sustainable development goals and assisting global economies to eliminate poverty and to conserve natural resources and protect the environment.

Countries and civil societies develop incredible AI application systems with diverse features, but sometimes these systems do not take into consideration the good of individuals and society. So, it is important to develop systems which can deliver the change required to build a clean, resource-secure and inclusive economy, enabled by technology and supported by public policy and investment. Many industry giants like Microsoft, Google and Tesla, while pushing the parameters for human innovations, have made productive efforts in developing ‘Earth Friendly’ or ‘Eco-Friendly’ AI mechanisms. For instance, Google’s brainchild DeepMind AI has helped the organization to curb their data centre energy usage by 40 per cent making them more energy efficient and reducing overall greenhouse gas emissions.AI innovation will also be fundamental to the attainment of the United Nations Sustainable Development Goals (SDGs) and will also promote the resolution of humanity’s grand challenges by maximizing on the unequalled quantities of data now being generated on sentiment behaviour, human health, migration and more.

For any country to maximally benefit from the AI revolution, it must adopt a deliberate policy to drive AI innovation and proliferation in sectors affecting climate change. With powerful economies making rapid progress in AI-based research, it is imperative that the World looks at AI as a critical element of environmental sustainability. These recent advances in AI are a wake-up call to policymakers as our climate is under increasing strain. Aiming for sustainability is an opportunity of this generation. AI and other Fourth Industrial revolution ideas are the new innovative solutions that can revolutionize environmental protection measures.

Continue Reading

Latest

Trending

Copyright © 2018 Modern Diplomacy