Connect with us

Tech

GDPR Clock is Ticking for the US Companies as Well: Top 7 Tips to Get Ready

Jasna Čošabić, PhD

Published

on

General Data Protection Regulation is about to be applicable as from 25 May 2018. Its long-arm teritorrial reach brings obligations not only to EU establishements, but to US based companies as well. Global connection through internet especially underlines the likelihood of such broad application and it will impact US businesses.One of the prerequisits for safe transfer of data between the EU and US is already accomplished by the EU-US Privacy Shield agreement. The European Commission has considered this agreement as providing adequate guarantees for transfer of data. Under Privacy Shield scheme companies may self-certify and adhere to principles stated therein. Yet, there is still less then 3000 companies in the US participating in the Privacy Shield. But GDPR safeguards have still to be followed. Below, we shall look at some of the most profound aspects of compliance with GDPR for the US (non-EU) based companies.

Data protection officer

Although it is not obligatory pursuant the GDPR, it is advisable that a company appoints a data protection officer (‘DPO’) or designate that role to a specific position in the company. DPOcan also be externally appointed. There may be a single DPO for several companies or several persons designated with DPO role in one company. The position needs not necessarily to follow such a title, but it may be a privacy officer, compliance officer, etc. Such person should possess expert knowledge about the GDPR and data privacy, and may have legal, technical or similar background. GDPR was not specific as to requirements of that person, apart from possesing expert knowledge. Role of DPO is toinform, monitor, advise, the controller, processor or employees, to cooperate with supervisory authority, provide training of staff, help in performing data protection impact assesment.

Data Protection Impact Assesment

The further step that companies affected by the GDPR including US companies should do in order to evaluate the risk of data breach is to perform a data protection impact assesment (‘DPIA’). DPIA is a thorough overview of the processes of the company, and can be done with the help of data protection officer. It may include a form or a template with a series of questions, which have to be answered for each processing activity. DPIA has to be detailed and cover all operations in the company. The function of DPIA is to predict situations in which data breaches may occur, and which include processing of private data. DPIA should contain, pursuant to Article 35 of the GDPR, a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph, the measures envisaged to address the risks, including safeguards and security measures. DPIA is a very useful way of showing compliance and it is also a tool that would help to company at the first place, to have an overview of processing activities and an indication of where a breach could happen.

EU representative

A US company (non-EU based company) has to appoint an EU representative if its businessrelates to offering of goods or services to natural persons in the EU, including even free goods or services, or when processing is related to monitoring of behaviour of data subjects in the EU. Behaviour may include monitoring internet activity of data subjects in order to evaluate or predict her or his personal preferences, behaviors and attitudes. EU representative is not obligatory when the processing is occasional or does not include processing on a large scale of special categories of data such as genetic data, biometric data, data concerning health, ethnic origin, political opinions, etc. and when it is unlikely to result in a risk to the rights and freedoms of natural persons. However, given that the exceptions from the duty of designation of EU representative are pretty vague, in most cases companies whose operations are not neglectable towards persons in the EU would have to appoint a reprsentative. Location of such representative would be in one of the EU Member states where the data subjects are located. Representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation, and he/she is also liable and subject to enforcement in case of non-compliance.

Consent matters

GDPR is overwhelmed with one key word of respect the privacy:consent. If companies wish to process data of natural persons that are in the EU, they must first obtain consent to do that. Consent must be freely given, informed, specific and unambigous.

Freely givenconsent presupposes that data subject must not feel pressured, or urged to consent, or subjected to non-negotiable terms. Consent is not considered as freely given if the data subject has no genuine or free choice.Data subject must not feel reluctant to refuse consent fearing that such refusal will bring detrimental effect to him/her. If the consent is preformulated by the controller, which is usually the case, the language of the consent must be clear and plain and easily understandable for the data subject. Further, if there are several purposes for the processing of certain data, consent must be given for every purpose separately. Consent must be specific and not abstract or vague. Silence, pre-ticked boxes or inactivity is not to be considered as consent under GDPR.

Informed consent means that data subject must know what the consent is for. He/she must be informed about what the consent will bring and there must not be any unknown or undeterminedissues. It is a duty of controller to inform data subject about scope and purpose of consent, and such information must be in clear and plain language. But, one must be careful that, as today in the world of fast moving technologies we face overflow of consentsa person has to give in short period of time, there may be an occurrence of ‘click fatigue []1’, which would result in persons not reading the information about the consent and clicking routinely without any thorough thinking. So, the controllers would have to make, by their technical design, such form of a consent, that would make the person read and understand his or her consent. It could be a combination of yes and no questions, changing of place of ticking boxes, visually appealing text accompanying consent, etc.

Consent must be unambiguous, or clearly given. There must not be space for interpretation whether consent is given for certain purpose or not. As to the form of the consent, it may be by ticking a box, choosing technical settings and similar (Recital 32 GDPR).

Data subject gives his consent for the processing of his personal data. However, companies have to bear in mind that data concept in the EU is broadly understood, and that it includes all personally identifiable information (PII), ranging from obvious data such as name and postal address, to less obvious data, but still PII covered by GDPR, such as IP address [2]. On the other hand the IP address is not that clearly considered as PII in the US. In that regard, the protection in the US must be stricter, obliging US based companies to also apply broader EU standards.

Privacy by design implemented

Privacy by design is a concept which brings together the legal requirements and technical measures. It is a nice and smooth way of incorporating law into technical structure of business. Privacy by design, if applied properly at the outset, shall ensure the compliance with the GDPR requirements. It should point out to principles of data minimisation, where only data which is necesssary should be processed, storage limitation, which would provide for a periodic overview of storage and automatic erasure of data no longer necessary.

One of the ways of showing compliance through the privacy by design is ‘pseudonymisation’. Pseudonymization is, according to GDPR, referred to as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Such additional information must be kept separately, so that it cannot be connected to identified or identifiable natural person.Pseudonymisation is not anonymisation and should not be mixed with it. Anonymisation is a technique which results in irreversible deidentification, and since it completely disables identification it is not subject of data protection under GDPR. Pseudonymisation only reduces the likability of a dataset with the original identity of a data subject, and is accordingly a useful security measure [3].

Binding corporate rules

Binding corporate rules (‘BCR’) include set of principles, procedures andpersonal data protection policies as well as a binding clause adopted by the company and approved by competent supervisory authority. Adopting binding corporate rules is not a simple process but means being on a safe track. It is one of the safeguards envisaged by the GDPR. BCR should include according to Article 47 of the GDPR, the structure and contact details of company, categories of personal data, the type of processing and its purposes, application of general data protection principles (such as purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, ..), rights of data subjects, the tasks of data protection officer, complaint procedures, mechanisms for reporting to the competent supervisory authority, appropriate data protection training to personnel, indication that BCR are legally binding. BCR should additionally be accompanied with privacy policies, guidelines for employees, data protection audit plan, examples of the training program, description of the internal complaint system, security policy, certification process to make sure that all new IT applications processing data are compliant with BCR, job description of data protection officers or other persons in charge of data protection in the company.

Make your compliance visible

Well, if your company has performed all of the above, it has to make it visible. Companies, that are covered with the GDPR, not only do they have to comply, they have to show that they comply. GDPR puts an obligation on controllers to demonstrate their compliance.

From the first contact with the controller, the website must give the impression of compliance. BCR, privacy policies,DPO contact details must be visible in order that data subject may address him in case of data risk or breach. EU representative’s name and contact must be put forward in order to be accessible by the supervisory authority in the EU. Contact form for data subjects with options for access, right to object, erasure, rectification, restriction, should be there.Organisational chart of the company, flow of data transfer demonstrated by data flow mapp.These are only some of the most imporant features that have to be followed.

Non-compliance is a very costly adventure. The adventure that businesses will try to avoid. With systematic planning and duly analysing the necessity of compliance with GDPR, and with clearly defined processes, US companies can put many benefits for the business and attract and encourage data subjects in the EU to freely entrust their datato them. This is a thorough process, but worth accomplishing.

[1] Article 29 Working Party Guidelines on consent,p. 17

[2] According to judgment of the Court of Justice of the EU of 19 October 2016,in case C 582/14,

[3] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques adopted on 10 April 2014 p. 3

Continue Reading
Comments

Tech

Artificial Intelligence: Everyday Everywhere

Published

on

May 17 marks the World Telecommunication and Information Society Day with the theme of enabling the positive use of ‘Artificial Intelligence for All’.

The term artificial intelligence (AI) may conjure up science fiction stories or robots. However, you may be surprised if you find out that it is present in your everyday life.

Video games, online customer support, smart home appliances, promotional emails, as well as personalized and contextual digital advertising are some examples of AI.

In Iran, AI started to be taught as a university course 16 years ago. Iran is applying AI in mitigating traffic density, offering financial services and for military purposes.

Like all other parts of the world, Iran is developing AI as a necessary part of up-to-date technology and modern life.

Wherever you live, you are surrounded by AI whether you notice or not.

The smartphone in your hand, your bank credit card in your purse, and even appliances you use every day in your home, they are AI-based technology in your daily life. AI has a great impact on your life and without it, your life would be very different.

Like any other new types of technology, AI has positive and negative effects on our life and like other aspects of life, our awareness is the only way to benefit from facilities, which make our life easier if they are used in right way.

World Telecommunication and Information Society Day 

According to UN, the purpose of World Telecommunication and Information Society Day (WTISD) is to help raise awareness of the possibilities that the use of the Internet and other information and communication technologies (ICT) can bring to societies and economies, as well as of ways to bridge the digital divide.

May 17 marks the anniversary of the signing of the first International Telegraph Convention and the creation of the International Telecommunication Union.

In recent years there has been significant progress in AI technology, made possible by tremendous advances in contributing fields, such as big data, machine learning, computing power, storage capacity and cloud computing, among others.

AI-based technologies are already emerging as a key component of proactive tools and applications being used to help people lead better lives by improving healthcare, education, finance, agriculture, transportation, and a wide range of other services.

The 2018 theme will focus on the potential of Artificial Intelligence (AI) to accelerate the United Nations Sustainable Development Goals (SDGs).

First published in our partner Tehran Times

Continue Reading

Tech

Use blockchain model to cut small firms’ costs and empower citizens

MD Staff

Published

on

Applying the “blockchain” model to areas like energy use, supply chains and governance would cut costs for firms and empower citizens, said the Industry Committee.

Blockchain transactions are recorded by multiple users, rather than by paid – and often costly – intermediaries. The model is currently best known for underpinning the functioning of digital currencies, such as Bitcoin.

The committee approved on Wednesday recommendations on how to apply the blockchain model elsewhere, so as to cut intermediation costs for small firms, empower citizens and enable the EU to become a global leader in this field.

It is not all about Bitcoin

Citizens could use blockchains to gain full control of their own data and decide what to share, and small firms and innovative start-ups could use them to cut intermediation costs and ensure that transactions are executed efficiently, the approved text says.

MEPs advocate applying the blockchain model to areas such as energy consumption, health care, supply chains, transport, finance and the creative industries.

For example, the model could help to:

  • monitor the origin of goods, offering greater certainty that, e.g., diamonds are ethically sourced, clothes are not made in sweatshops and a bottle of champagne comes from Champagne,
  • “democratize” the energy market, by enabling households that produce energy to exchange and consume it without the need to pay an intermediary agency, and
  • create records such as land registries, birth certificates and business licences with less dependence upon lawyers, notaries and government officials.

Getting blockchain rules right

Industry Committee MEPs call on the EU Commission to propose a regulatory approach designed to promote different uses of blockchains and other Distributed ledger technologies (DLTs) that is innovation-friendly and technology neutral.

To ensure the sector is competitive, MEPs also ask for the post-2020 EU long-term budget (Multiannual Financial Framework – MFF, currently under negotiation) to include funding for blockchain-based research and projects.

Background

Blockchain-based transactions create fast, cheap and secure public records and can be also used for many non-financial tasks, such as casting votes in elections or proving that a document existed at a specific time. Blockchains are particularly well suited to situations where it is necessary to know ownership histories.

They also present opportunities in all kinds of public services such as health and welfare payments and, at the frontier of blockchain development, are self-executing contracts paving the way for companies that run themselves without human intervention.

Blockchain – How does it work? 

Continue Reading

Tech

The Cyber Harassment of Women in Pakistan

Venita Christopher

Published

on

Technology has gained remarkable success in the global world, today everyone have an access to the modern technology and are addicted to its use especially the social media websites like face book, twitter, Imo, Skype, hangouts and too many other websites like this have caught too many people in its web that not only young generation but adults are also trapped in its spindle.  Both men and women are not safe of Cyber harassment today but women are the more prominent victims of being exploited sexually and mentally. Invasion of privacy, extortion, cyber bully and blackmailing are at the top rank for spoiling women lives.

According to the report of Digital Rights Foundation 40 percent of the women faces different forms of online harassment on internet. These social websites are useful on one way but on the other hand there are too many vulnerable effects of these websites. Cyber world has excelled in its tricks today and there are many ways either to secure or ruin human lives in seconds through cyber world. Keeping a blind eye and trust on known or unknown people a lot of lives in Pakistan has been lost due to their ignorance, innocence and lack of awareness about using social websites.

According to the study of Online Violence 72 percent of women in Pakistan are unaware of the Cyber Laws and Cyber Hygiene. From the last few years researches have shown that women in Pakistan are facing insecurity and threat to their lives because of these social and dating websites. Women are being cyber bullied, harassed, blackmail and tortured online on these websites which has spread a frightening roars in the world. Today the main concern is why women are not secure either online or offline? Why there is no any way developed yet to stop this horrifying trend in Pakistan and to secure the lives of women in future?

We all have addiction of using social websites, no doubt they are useful but on the other hand lack of awareness and tricks of cyber world have led us to an insecure world that we don’t find a way to escape from the trap. Despite of the Cyber bill passed by Pakistan in 2015 this vulnerable problem has not been stopped yet and the victims are increasing day by day. In our patriarchal society women are being considered as socially, morally, spiritually and physically weak living beings created by God and our society treat them in the same way. The thinking of society have made too many women psychologically weak that they keep their mouths closed after being raped, bullied, harassed and blackmailed online or offline. The conservative thinking of our societies that women are the respect of  the family and they have to close their mouths or keep the thing as secret  if any horrifying thing happened to them because if they speak out they may disrespect their families status in societies.

The government of Pakistan passed  Punjab Protection of Women against Violence Act  last year that only worked a bit but till now no act or bill have been passed yet to stop online violence against women at bigger level. The lack of awareness and education is one of the biggest concerns about the deaths of women who were sexually exploited online. Few powerful women of our society if ever took a step to get themselves help and caught the hidden culprit behind computer , our families and police investigators added fuel to fire and cause psychological fear in them despite of helping them. The investigators both male and females ask such an abusive and shameless questions to females that it hit the nerves of victims and they left the case in between instead of fighting for their rights. The question arise here that why the authorities are sometimes quiet on this issue from too many years? What is the purpose of passing cyber bill when there is no implementation of it practically all across the country? Why male police officers are being used for investigation of women who are being harassed online? These are all the reasons that women are facing insecurity in Pakistan and in other Asian countries not only offline but online as well because not proper measures ,rules ,laws, bills and acts has been passed yet to stop cyber stalking, trolling and extortion of women.

Recommendations to Check Cyber Crimes:

There should be female cyber experts in Pakistan who would only deal with the issues of women being exploited online because victims sometimes feel hesitation in showing or revealing personal data or pictures to male cyber experts.

There should be a separate department of cyber experts who would only deal with these issues personally despite of involving whole family in case and women should be given contacts of those experts so whenever they would face problem or are being scam they would immediately seek help to those experts.

Women should go straight forward to these types of departments and meet with experts without any hesitation. Moreover there should be one female police investigator all time available in cyber section for investigation of women cases so they would not feel ashamed or disrespect rather than going to police stations.

It is impossible to stop cyber threats in today’s world but awareness ,campaigns ,seminars conducted by cyber experts and surveys of women NGO’s and organizations in Pakistan can somehow  play a decisive role in saving  the lives of women.

There should be male and female counselors available in cyber departments for the counseling of harassed women who are being victimize and mentally effected and had fear to express truth or reality  in order to seek help and to caught the culprit behind computer.

A software should be developed and would be provided to all women either educated or uneducated  in their cell phones, laptops and computes that will detect any harmful act done to their devices or the social sites used to that devices .

Proper seminars should be conducted regularly in remote areas by women organizations and NGO, s where women are being taught the use and awareness of these social sites and those ways to protect their lives online.

Government should introduce a subject of cyber hygiene for safe use of social websites for all the students in every education institute from junior classes.

Continue Reading

Latest

Newsdesk6 hours ago

An economic space from the Atlantic to the Pacific

On the 23 May, in the run-up to SPIEF, a roundtable held jointly between the Roscongress Foundation and St. Petersburg...

Newsdesk7 hours ago

Russia’s Economic Recovery Continues: Modest Growth Ahead

Russia’s economic recovery continues, amidst relatively high oil prices, enhanced macroeconomic stability, gradual monetary loosening, and ongoing momentum in global...

Green Planet8 hours ago

Governments need to act to encourage plastic recycling markets

Plastic recycling is failing to reach its full potential as low recovery rates of plastic waste, poor quality of recycled...

Economy9 hours ago

Business Chemistry: Practical Magic for Crafting Powerful Work Relationships

Ever wonder what it is that makes two people click or clash? Or why some groups excel while others fumble?...

Newsdesk10 hours ago

UNIDO at SPIEF 2018: Increasing the contribution of women to economic growth and prosperity

On the opening day of the St. Petersburg International Economic Forum (SPIEF) 2018, the United Nations Industrial Development Organization (UNIDO)...

South Asia11 hours ago

What to do with Pakistani militant Hafez Saeed? Pakistan and China grope for ambiguity

Recent remarks by several senior Pakistani officials suggest that Pakistan and China are groping with how to deal with globally...

Energy13 hours ago

The Bigger Picture: Convergence of Geopolitics and Oil

The rising tensions in Middle-East and the rising oil prices only show how strong the link between oil prices and...

Newsletter

Trending

Copyright © 2018 Modern Diplomacy