privacy for business

A study conducted by McDermott Will & Emery LLP found that 71%  acknowledged “that lack of compliance could have a detrimental impact on  their companies’ ability to conduct business globally.”

American businesses need the EU’s customers. As a result, many may  get lost in trying to become GDPR compliant without fully understanding  why. At this point, most employees who have heard about GDPR understand  the new regulations ensure privacy of EU citizens. However, this is not  enough. American-based companies and their employees need to understand  how PII  travels throughout their company’s workflows. This understanding helps  businesses/organizations who use sensitive PII be proactive in its  protection, thus ensuring a consumer connection with American-based  companies.

The GDPR had only been in effect mere hours before an Austrian  company filed GDPR complaints against Google, Facebook, WhatsApp, and  Instagram. Facebook owns WhatsApp and Instagram, so they may be in even  deeper trouble than Google. Nonetheless, the very quick filing of the  complaint hints at the motives behind passing the GDPR. While few  Americans may have known the exact reasoning behind Mark Zuckerberg’s  testimony before the EU Parliament on May 22nd, he was there to reassure  EU citizens that they could continue to use Facebook despite GDPR,  which would be implemented less than a week later. Much as it is in the  United States, these types of public hearings before governmental bodies  tend to align with contemporary politics.

“The GDPR had only been in effect mere  hours before an Austrian company filed GDPR complaints against Google,  Facebook, WhatsApp, and Instagram. Facebook owns WhatsApp and Instagram,  so they may be in even deeper trouble than Google.”

Records managers and other professionals who manage information at the executive level need to take an IG  approach to understanding how all information, not just PII, moves  through their businesses. Prior to GDPR enactment, tech companies that  relied on proprietary algorithms could collect data from any number of  collection points. Under the new regulatory framework, data collection  should be severely limited and is no longer part of the processor  function. Consequently, any IG professional who seeks an understanding  of GDPR must fully grasp this unique relationship between controller and  processor.

Under GDPR, it is unclear how these proprietary algorithms will  continue to function. They depend on the all-encompassing processing  information listed in Article Four, Section 2. Figure One illustrates  the new controller to processor relationship. Notice the flow of  information is only one way in this relationship.

Understanding the flow of information and the duties ascribed to the  controller and processor roles, while also managing information in a  GDPR-compliant IG framework, is a challenge that can be addressed with a  firm conception of what privacy means to an EU resident.

GDPR was a tsunami for businesses across the globe. And now that it  has crashed upon the shore, the search to locate and secure personal  data has become paramount. Since many businesses are not quite up to the  task, here are eight strategies that can assist in the identification  of personal data:

) 1Looking For Documentation.  This might seem intuitive, and you would be right. The problem comes  when considering that only the most basic of systems will be able to use  this to find consumers’ personal data.

2) Manual Investigation. Again, smaller systems will be able to do this;  however, the larger the system, the more labor-intensive this becomes.

3) Turning to Application or Technical Specialists. Since the  application and underlying data model are no doubt more technical than a  manual investigation would allow, seeking out a specialist is the right  move.

4) Hiring External Consultants. Similar to technical specialists, you  are outsourcing expertise. However, there can a drawback: often, there  is a cost associated with a consultant getting up to speed on your  particular data landscape.

5) Metadata-Driven  Software Approach. An intriguing approach is to use analytics to find  the metadata associated with the personal data in order to locate it.  This approach is often much quicker than others.

6) Intranet or Internal System Search. Performing basic searches using existing tools in applications that house customer/consumer data.

7) Best Guess and Hypothesis Testing. While it sounds like statistical  testing, this approach is predicated on observations and insights, and  is frequently inaccurate as a result.

8) Turning to Software Vendors. Using new GDPR and privacy compliance tools for data mapping and data inventorying.

 If you were to judge the effectiveness of Facebook’s efforts to  combat fake profiles by the half-billion fake accounts they shut down in  the first quarter of 2018, then you might conclude they are doing as  promised in the face of the Cambridge Analytica scandal. However, when  you consider that 3%-4% of all 2.4 billion+ profiles are still fake,  then it makes you wonder what exactly Facebook is accomplishing with  shuttering fake profiles other than good PR.

The use of AI has cracked down on judging the content of potentially  harmful fake profiles, and their subsequent posts and comments is at the  forefront of the “transparent” efforts by the tech giant to quell  public outcry over their role in the 2016 election. This zeal to stop  fake news has dominated headlines, but remains mostly feckless  considering the increase in profiles and Facebook’s lack of transparency  about how they are going to police fake profiles, despite protestations  to the contrary.

The sad truth that has been leaking out is that fake news is still  propagated on Facebook, and there seems to be very little that the  company plans to do to stop channels that spread lies, hate, and  propaganda. If anything, the efforts seem to have normalized unchecked  information on the social media network.

The great hope remains that Facebook will come to its senses and  design a program that better facilitates identifying fake profiles and  propaganda and delineating it for users. Certainly, Facebook is trying,  and are shutting down fake profiles and groups on a daily, if not  hourly, basis. Alas, it might not be enough.

The European Union General Data  Protection Regulation (GDPR) is being subsumed into British domestic  legislation, and is now the basis for a new Data Protection Act,  replacing the old 1998 Act, itself based on a 1995 EU Directive. For  this reason, until the new Act receives Royal Assent, this piece  continues to refer to the GDPR. The pending legislation is, overall,  causing much generalised debate regarding its implications and where  Data Protection practice in the UK is destined.

There has been substantial specific debate and concern about who  should be appointed as the Data Protection Officer (DPO) under the GDPR  within healthcare organizations. In this section we will attempt to  inject some order into the confusion. This has concentrated on the GDPR  itself, along with guidance from the Article 29 Working Group (WP29),  the UK Information Commissioner’s Office’s (ICO), and significant discussion between the authors, both interpersonally and online with Information Governance (IG) and Data Protection professionals.

The perspective here is mostly applicable to Acute trusts within the  National Health Service (NHS), although its message is likely to be  applicable more broadly across the UK healthcare sector.

GDPR Article 37 states that a DPO is needed in any case where:

• The processing is carried out by a public authority or body, except for courts; or
• The core activities of the Data Controller or the Data Processor  consist of processing operations which, by virtue of their nature, their  scope and / or their purposes, require regular and systematic  monitoring of data subjects on a large scale; or
• The core activities of the Data Controller or the Data Processor  consist of processing large volumes of Special Categories of Data or  information about criminal convictions and offences.[1]
• 
  

Whereas it is common understanding that the NHS is a public  body, the term “public authority or body” is, rather unhelpfully, not  defined in the GDPR. For sake of clarity, however, it is apparent by  extrapolation from the definition in Schedule 1 of the Freedom of Information Act 2000, that the NHS is indeed included.

It is perfectly acceptable for public bodies to appoint a single DPO  to be shared between authorities.[2] It may be beneficial that the DPO  is shared between healthcare organizations working in close partnership  with each other, or perhaps across several organizations within a  localized partnership.

GDPR Article 38 is clear about the position of the DPO, in that the Data Controller and Data Processor shall:

• Ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
• Support the DPO in performing their tasks by providing resources  necessary to carry out those tasks and access to personal data and  processing operations, and to maintain their expert knowledge.
• Ensure that the DPO does not receive any instructions regarding the  exercise of those tasks. He or she shall not be dismissed or penalized  by the Data Controller or the Data Processor for performing his tasks.  The DPO shall report to the highest management level. [3]

The DPO shall be bound by secrecy or confidentiality concerning the  performance of his or her tasks. The Data Controller or Data Processor  shall ensure that any such tasks and duties do not result in a conflict  of interests.[4]

With regard to the last point, WP29 clarifies that:
As a rule  of thumb, conflicting positions within the organization [A1] may include  senior management positions (such as chief executive, chief operating,  chief financial, chief medical officer, head of marketing department,  head of Human Resources or head of IT  departments) but also other roles lower down in the organisational  structure if such positions or roles lead to the determination of  purposes and means of processing. In addition, a conflict of interests  may also arise for example if an external DPO is asked to represent the  controller or processor before the Courts in cases involving data  protection issues. [5]

DPOs do not have to be lawyers, but need expert knowledge of Data  Protection law and practices. From a practical perspective, they must  also have an excellent understanding of the organization’s governance  structure and be familiar with its IT infrastructure and technology.

The DPO role may be employed (“internal DPO”), or there may be  circumstances where they may act under a service contract (“external  DPO”). In both cases, they must be given the necessary resources to  fulfill the relevant job functions and be granted a certain level of  independence, to be able to act in the necessary “independent manner.”

The DPO does not have to be a standalone role, and may have other  tasks within the organization, so long as they do not interfere with the  DPO role. WP29 has made it clear that the DPO “cannot hold a position  within the organization that leads him or her to determine the purposes  and the means of the processing of personal data.”[6]

Many healthcare organizations already have staff in place who  oversees most issues relating to Data Protection. These roles generally  have titles such as Head of IG, IG Lead, IG Manager or Privacy Officer.  It is anticipated that it is these roles that will be most appropriate  to undertaking the DPO role within healthcare organizations with mature  IG models.

GDPR Article 37 does not absolutely define the credentials for a DPO  beyond “expert knowledge of data protection law and practices.”[7] The  GDPR’s Recitals add that this should be “determined in particular  according to the data processing operations carried out and the  protection required for the personal data processed by the controller or  the processor.”[8]

Realistically, this is a member of staff with detailed expert  knowledge and experience of applying IG and Data Protection principles  within a healthcare environment.

The WP29 guidance clarifies this further:
Although  Article 37(5) does not specify the professional qualities that should  be considered when designating the DPO, it is a relevant element that  DPOs should have expertise in national and European data protection laws  and practices and an in-depth understanding of the GDPR. It is also  helpful if the supervisory authorities promote adequate and regular  training for DPOs.

Knowledge of the business sector and of the organization of the  controller is useful. The DPO should also have sufficient understanding  of the processing operations carried out, as well as the information  systems, and data security and data protection needs of the controller.  In the case of a public authority or body, the DPO should also have a  sound knowledge of the administrative rules and procedures of the  organization.[9]

The DPO’s tasks are very clearly delineated in the GDPR Article 39, to:

• Inform and advise the Data Controller or Data Processor and  the employees who carry out processing of their Data Protection  obligations
• Monitor Data Protection compliance
• Assign responsibilities, awareness-raising, and training of staff involved in processing operations
• Undertake internal audits of Data Protection
• Provide advice on the need and completion of Data Protection Impact Assessments
• Cooperate with the ICO and act as the contact point for any issues relating to processing
• Undertake or advise on the potential risk of processing activities.

The most essential requirement is that the DPO must be allowed to  perform their tasks in an independent manner. They need to report to the  highest management level in the organization and cannot be dismissed or  penalized for doing their job (i.e. giving advice). This will require a  robust governance reporting structure for the DPO to function and  evidence that advice has been accepted or rejected.

GDPR Article 38 requires the organization to support its DPO by  ‘providing resources necessary to carry out [their] tasks and access to  personal data and processing operations, and to maintain his or her  expert knowledge’[A2]. The WP29 Guidance adds that, depending on the  nature of the processing operations and the activities and size of the  organization, the following resources should be provided to the DPO:

• Active support of the DPO’s function by senior management (such as at board level).
• Sufficient time for DPOs to fulfil their duties.
• Adequate support
• Official communication of the designation of the DPO to all staff
• Necessary access to other services
• Continuous training

Given the size and structure of the organization, it may be  necessary to set up a DPO team (a DPO and his/her staff). Similarly,  when the function of the DPO is exercised by an external service  provider, a team of individuals working for that entity may effectively  carry out the tasks of a DPO as a team, under the responsibility of a  designated lead contact for the client. [10]

Failure to appoint a DPO where required can lead to significant  ramifications. Administrative fines can be as high as the equivalent of  €10m (almost £9m at time of writing) or 2% of the organization’s  turnover, whichever is higher. The appointment of a DPO is not only a  legal requirement, it must also be seen as an efficient way to ensure  Data Protection compliance, something that is especially true when it  comes to sophisticated Data Processing activities and cross-border data  flows.