Privacy Today is coming soon!
If you were to judge the effectiveness of Facebook’s efforts to combat fake profiles by the half-billion fake accounts they shut down in the first quarter of 2018, then you might conclude they are doing as promised in the face of the Cambridge Analytica scandal. However, when you consider that 3%-4% of all 2.4 billion+ profiles are still fake, then it makes you wonder what exactly Facebook is accomplishing with shuttering fake profiles other than good PR.
The use of AI has cracked down on judging the content of potentially harmful fake profiles, and their subsequent posts and comments is at the forefront of the “transparent” efforts by the tech giant to quell public outcry over their role in the 2016 election. This zeal to stop fake news has dominated headlines, but remains mostly feckless considering the increase in profiles and Facebook’s lack of transparency about how they are going to police fake profiles, despite protestations to the contrary.
The sad truth that has been leaking out is that fake news is still propagated on Facebook, and there seems to be very little that the company plans to do to stop channels that spread lies, hate, and propaganda. If anything, the efforts seem to have normalized unchecked information on the social media network.
The great hope remains that Facebook will come to its senses and design a program that better facilitates identifying fake profiles and propaganda and delineating it for users. Certainly, Facebook is trying, and are shutting down fake profiles and groups on a daily, if not hourly, basis. Alas, it might not be enough.
The GDPR May adoption date has caused many American businesses headaches as they scramble to understand how the EU approaches the electronic privacy of its citizens. An April 2018 flash poll conducted by Baker Tilly Virchow & Krause LLP noted that 90% of organizations were not ready for GDPR.
A study conducted by McDermott Will & Emery LLP found that 71% acknowledged “that lack of compliance could have a detrimental impact on their companies’ ability to conduct business globally.”
American businesses need the EU’s customers. As a result, many may get lost in trying to become GDPR compliant without fully understanding why. At this point, most employees who have heard about GDPR understand the new regulations ensure privacy of EU citizens. However, this is not enough. American-based companies and their employees need to understand how PII travels throughout their company’s workflows. This understanding helps businesses/organizations who use sensitive PII be proactive in its protection, thus ensuring a consumer connection with American-based companies.
The GDPR had only been in effect mere hours before an Austrian company filed GDPR complaints against Google, Facebook, WhatsApp, and Instagram. Facebook owns WhatsApp and Instagram, so they may be in even deeper trouble than Google. Nonetheless, the very quick filing of the complaint hints at the motives behind passing the GDPR. While few Americans may have known the exact reasoning behind Mark Zuckerberg’s testimony before the EU Parliament on May 22nd, he was there to reassure EU citizens that they could continue to use Facebook despite GDPR, which would be implemented less than a week later. Much as it is in the United States, these types of public hearings before governmental bodies tend to align with contemporary politics.
“The GDPR had only been in effect mere hours before an Austrian company filed GDPR complaints against Google, Facebook, WhatsApp, and Instagram. Facebook owns WhatsApp and Instagram, so they may be in even deeper trouble than Google.”
Google has been saddled with the largest fine yet by the EU—€4.34bn ($5 Billion USD). The fine, based on the European Union’s claims, is over “serious illegal behavior” tied to how Google monopolizes its search engines on mobile phones in Europe.
The claims are derived from a finding that Google required pre-installation of their search engine and web browser on phones using the Android operating system, which is used on nearly 80% of phones. If manufacturers failed to pre-install as instructed, then they would lose access to the Google Play store and other streaming services provided for by Google.
Margrethe Vestager, the EU’s competition commissioner, had some harsh words about the
tech giant: Google uses the Android OS “to cement its dominance as a search engine,” preventing innovation and competition “and this is illegal under EU antitrust rules.” She added: “The vast majority of users simply take what comes with their device and don’t download competing apps.” She concluded that these services are not free, as consumers “pay with their data” to use them. “Or to slightly paraphrase what [U.S. free market economist] Milton Friedman has said: ‘there ain’t no such thing as a free search.’”
Citing that the inhibition of innovation and competition through restrictive usage of the Android OS is illegal under EU antitrust rules, Vestager stated it monopolizes the market. Unsurprisingly, Google was quick to announce that it would be appealing the ruling. A Google spokesperson had the following to say about the verdict:
“Android has created more choice for everyone, not less. A vibrant ecosystem, rapid innovation and lower prices are classic hallmarks of robust competition. We will appeal the commission’s decision.”
The tech giant has 90 days to end the practices outlined in the ruling to avoid increased and continued fines. The verdict caps a three-year investigation into the Android OS by European commission’s competition authorities.
A study conducted by McDermott Will & Emery LLP found that 71% acknowledged “that lack of compliance could have a detrimental impact on their companies’ ability to conduct business globally.”
American businesses need the EU’s customers. As a result, many may get lost in trying to become GDPR compliant without fully understanding why. At this point, most employees who have heard about GDPR understand the new regulations ensure privacy of EU citizens. However, this is not enough. American-based companies and their employees need to understand how PII travels throughout their company’s workflows. This understanding helps businesses/organizations who use sensitive PII be proactive in its protection, thus ensuring a consumer connection with American-based companies.
The GDPR had only been in effect mere hours before an Austrian company filed GDPR complaints against Google, Facebook, WhatsApp, and Instagram. Facebook owns WhatsApp and Instagram, so they may be in even deeper trouble than Google. Nonetheless, the very quick filing of the complaint hints at the motives behind passing the GDPR. While few Americans may have known the exact reasoning behind Mark Zuckerberg’s testimony before the EU Parliament on May 22nd, he was there to reassure EU citizens that they could continue to use Facebook despite GDPR, which would be implemented less than a week later. Much as it is in the United States, these types of public hearings before governmental bodies tend to align with contemporary politics.
“The GDPR had only been in effect mere hours before an Austrian company filed GDPR complaints against Google, Facebook, WhatsApp, and Instagram. Facebook owns WhatsApp and Instagram, so they may be in even deeper trouble than Google.”
Records managers and other professionals who manage information at the executive level need to take an IG approach to understanding how all information, not just PII, moves through their businesses. Prior to GDPR enactment, tech companies that relied on proprietary algorithms could collect data from any number of collection points. Under the new regulatory framework, data collection should be severely limited and is no longer part of the processor function. Consequently, any IG professional who seeks an understanding of GDPR must fully grasp this unique relationship between controller and processor.
Under GDPR, it is unclear how these proprietary algorithms will continue to function. They depend on the all-encompassing processing information listed in Article Four, Section 2. Figure One illustrates the new controller to processor relationship. Notice the flow of information is only one way in this relationship.
Understanding the flow of information and the duties ascribed to the controller and processor roles, while also managing information in a GDPR-compliant IG framework, is a challenge that can be addressed with a firm conception of what privacy means to an EU resident.
GDPR was a tsunami for businesses across the globe. And now that it has crashed upon the shore, the search to locate and secure personal data has become paramount. Since many businesses are not quite up to the task, here are eight strategies that can assist in the identification of personal data:
) 1Looking For Documentation. This might seem intuitive, and you would be right. The problem comes when considering that only the most basic of systems will be able to use this to find consumers’ personal data.
2) Manual Investigation. Again, smaller systems will be able to do this; however, the larger the system, the more labor-intensive this becomes.
3) Turning to Application or Technical Specialists. Since the application and underlying data model are no doubt more technical than a manual investigation would allow, seeking out a specialist is the right move.
4) Hiring External Consultants. Similar to technical specialists, you are outsourcing expertise. However, there can a drawback: often, there is a cost associated with a consultant getting up to speed on your particular data landscape.
5) Metadata-Driven Software Approach. An intriguing approach is to use analytics to find the metadata associated with the personal data in order to locate it. This approach is often much quicker than others.
6) Intranet or Internal System Search. Performing basic searches using existing tools in applications that house customer/consumer data.
7) Best Guess and Hypothesis Testing. While it sounds like statistical testing, this approach is predicated on observations and insights, and is frequently inaccurate as a result.
8) Turning to Software Vendors. Using new GDPR and privacy compliance tools for data mapping and data inventorying.
If you were to judge the effectiveness of Facebook’s efforts to combat fake profiles by the half-billion fake accounts they shut down in the first quarter of 2018, then you might conclude they are doing as promised in the face of the Cambridge Analytica scandal. However, when you consider that 3%-4% of all 2.4 billion+ profiles are still fake, then it makes you wonder what exactly Facebook is accomplishing with shuttering fake profiles other than good PR.
The use of AI has cracked down on judging the content of potentially harmful fake profiles, and their subsequent posts and comments is at the forefront of the “transparent” efforts by the tech giant to quell public outcry over their role in the 2016 election. This zeal to stop fake news has dominated headlines, but remains mostly feckless considering the increase in profiles and Facebook’s lack of transparency about how they are going to police fake profiles, despite protestations to the contrary.
The sad truth that has been leaking out is that fake news is still propagated on Facebook, and there seems to be very little that the company plans to do to stop channels that spread lies, hate, and propaganda. If anything, the efforts seem to have normalized unchecked information on the social media network.
The great hope remains that Facebook will come to its senses and design a program that better facilitates identifying fake profiles and propaganda and delineating it for users. Certainly, Facebook is trying, and are shutting down fake profiles and groups on a daily, if not hourly, basis. Alas, it might not be enough.
The European Union General Data Protection Regulation (GDPR) is being subsumed into British domestic legislation, and is now the basis for a new Data Protection Act, replacing the old 1998 Act, itself based on a 1995 EU Directive. For this reason, until the new Act receives Royal Assent, this piece continues to refer to the GDPR. The pending legislation is, overall, causing much generalised debate regarding its implications and where Data Protection practice in the UK is destined.
There has been substantial specific debate and concern about who should be appointed as the Data Protection Officer (DPO) under the GDPR within healthcare organizations. In this section we will attempt to inject some order into the confusion. This has concentrated on the GDPR itself, along with guidance from the Article 29 Working Group (WP29), the UK Information Commissioner’s Office’s (ICO), and significant discussion between the authors, both interpersonally and online with Information Governance (IG) and Data Protection professionals.
The perspective here is mostly applicable to Acute trusts within the National Health Service (NHS), although its message is likely to be applicable more broadly across the UK healthcare sector.
GDPR Article 37 states that a DPO is needed in any case where:
Whereas it is common understanding that the NHS is a public body, the term “public authority or body” is, rather unhelpfully, not defined in the GDPR. For sake of clarity, however, it is apparent by extrapolation from the definition in Schedule 1 of the Freedom of Information Act 2000, that the NHS is indeed included.
It is perfectly acceptable for public bodies to appoint a single DPO to be shared between authorities.[2] It may be beneficial that the DPO is shared between healthcare organizations working in close partnership with each other, or perhaps across several organizations within a localized partnership.
GDPR Article 38 is clear about the position of the DPO, in that the Data Controller and Data Processor shall:
The DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks. The Data Controller or Data Processor shall ensure that any such tasks and duties do not result in a conflict of interests.[4]
With regard to the last point, WP29 clarifies that:
As a rule of thumb, conflicting positions within the organization [A1] may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues. [5]
DPOs do not have to be lawyers, but need expert knowledge of Data Protection law and practices. From a practical perspective, they must also have an excellent understanding of the organization’s governance structure and be familiar with its IT infrastructure and technology.
The DPO role may be employed (“internal DPO”), or there may be circumstances where they may act under a service contract (“external DPO”). In both cases, they must be given the necessary resources to fulfill the relevant job functions and be granted a certain level of independence, to be able to act in the necessary “independent manner.”
The DPO does not have to be a standalone role, and may have other tasks within the organization, so long as they do not interfere with the DPO role. WP29 has made it clear that the DPO “cannot hold a position within the organization that leads him or her to determine the purposes and the means of the processing of personal data.”[6]
Many healthcare organizations already have staff in place who oversees most issues relating to Data Protection. These roles generally have titles such as Head of IG, IG Lead, IG Manager or Privacy Officer. It is anticipated that it is these roles that will be most appropriate to undertaking the DPO role within healthcare organizations with mature IG models.
GDPR Article 37 does not absolutely define the credentials for a DPO beyond “expert knowledge of data protection law and practices.”[7] The GDPR’s Recitals add that this should be “determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”[8]
Realistically, this is a member of staff with detailed expert knowledge and experience of applying IG and Data Protection principles within a healthcare environment.
The WP29 guidance clarifies this further:
Although Article 37(5) does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.
Knowledge of the business sector and of the organization of the controller is useful. The DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller. In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organization.[9]
The DPO’s tasks are very clearly delineated in the GDPR Article 39, to:
The most essential requirement is that the DPO must be allowed to perform their tasks in an independent manner. They need to report to the highest management level in the organization and cannot be dismissed or penalized for doing their job (i.e. giving advice). This will require a robust governance reporting structure for the DPO to function and evidence that advice has been accepted or rejected.
GDPR Article 38 requires the organization to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge’[A2]. The WP29 Guidance adds that, depending on the nature of the processing operations and the activities and size of the organization, the following resources should be provided to the DPO:
Given the size and structure of the organization, it may be necessary to set up a DPO team (a DPO and his/her staff). Similarly, when the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the tasks of a DPO as a team, under the responsibility of a designated lead contact for the client. [10]
Failure to appoint a DPO where required can lead to significant ramifications. Administrative fines can be as high as the equivalent of €10m (almost £9m at time of writing) or 2% of the organization’s turnover, whichever is higher. The appointment of a DPO is not only a legal requirement, it must also be seen as an efficient way to ensure Data Protection compliance, something that is especially true when it comes to sophisticated Data Processing activities and cross-border data flows.
Copyright © 2019 Privacy Today & InfoGov World Media LLC- All Rights Reserved.