Newsletter - February 2019

10 QUESTIONS TO ASK ABOUT DATA PROTECTION

If the personal data you are collecting is in a computer format, here is a partial list of questions that need to be answered:

First, a look at the equipment storing the data:

  • When using Windows or MacOS, are you using anti-virus and anti-malware programs that are updated regularly? (With mobile technology, Android or iOS systems are less vulnerable in this area)
  • Do the users needing access to the data have their own login and password? If not, it is impossible to determine who accessed the data.
  • Is the data stored in an encrypted format on the computer hard drive? Mobile phones and tablets offer that option; it is a bit more complicated for computers but there are data encryption software available.
  • Is the data safely removed when computers are disposed of?

Next, a look at the shared or external infrastructure:

  • When using Cloud storage services (Dropbox, Box, OneDrive, Google Drive, etc.) have you verified that these services are in compliance with the Regulation?
  • When using USB keys to transfer personal data, is the data encrypted?
  • When transmitting personal data over public WIFI networks, is the data encrypted? Hackers often target such networks.

Finally, a look at the level of security training of your personnel:

  • Has your personal been trained on the principles of computer security and the principles of the GDPR regulation, such as the understanding of what constitutes personal data, to never open an attachment or click on a link from a suspicious source? The training must be formal and the participants must sign.
  • Does your personnel know who to contact with questions regarding GDPR and its scope?
  • Does your personnel know what actions to take or not to take when uncovering a breach of personal data?

Answering ”YES” to those ten questions will allow you to avoid a great majority of risks and problems.

THE CONCEPT OF THE GDPR SCOPE

Before the General Data Protection Regulation (“GDPR” or “the Regulation”) of 2016 that came into effect on May 25, 2018, the idea of the scope of a legislation was generally present in Europe: on one hand, there was the geographical domain, which was the EU territory as described in the 1995 Directive that the GDPR replaced and, on the other hand, the scope of applicability, as defined by the law itself. GDPR, nevertheless, altered this scope of applicability quite notably.

As we know since last year, GDPR applies to every processing of personal data occurring in the geographical domain. This geographical domain however is no longer simply defined by the place of residence of the natural person or of the entity that handles the processing. GDPR is now applicable to:

  • Controllers and Processors established in the European Union;
  • Controllers and Processors not established in the Union who process the personal data of data subjects who are in the Union;
  • Controllers and Processors not established in the Union who contract Processors established in the Union to process the data on their behalf

Any legal principle needs to be clearly defined and interpreted and, once again, the Regulation attempts to extend the scope of application as widely as possible in order to offer the greatest protection to natural persons. It is done in three ways:

The definition of “establishment” is based on two criteria being “as inclusive as possible”. Unlike the traditional meaning of the word, which describes an establishment as a legal entity, thus a permanent structure having some autonomy from its parent /main organization, the Regulation’s requirements are more flexible: an establishment must exercise a “real” and “effective” activity through “stable arrangements”.

In other words, a separate legal entity is no longer required and but at least one employee who exercises an activity with a sufficient level of stability (e.g a permanent part-time employee). The only qualification is that the task exercised by the establishment be “intimately” linked to the processing of personal data performed outside of the European Union.

The definition of “data subject” is also the widest: it means natural persons located (established?) in the EU. This however does not restrict the application of GDPR to EU citizens only: any processing of personal data aimed at individuals established in the EU is protected under the Regulation.

As an example, a website with pages in German or Italian or offering prices in Euros would be subjected to the Regulation since it obviously targets the EU general public.

Finally, any processing aimed at profiling natural persons during their stay in the EU, even if such persons live elsewhere, is subjected to the Regulation. For example, organizations using web-monitoring or geolocation software for direct marketing purposes to non-EU citizens traveling in the EU are subjected to the Regulation if such monitoring enables the identification of the data subject directly or indirectly.

Since the implementation of GDPR, the various Supervisory Authorities of the EU have published practical guides that attempt to clarify many things. The lists in these guides are generally not exhaustive and it is necessary to keep an eye on these publications to better understand that will influence the decisions of the Supervisory Authorities.

LegIT-Team carries out this surveillance, consistently ensuring that the legal obligations of its clients are met.

INTERNET LEGISLATION IS BOUND TO EVOLVE

A committee of the British House of Commons recently published a damning report on Facebook titled “Disinformation and ‘Fake News’ ”. The report denounced Facebook’s handling of personal data and its use for political campaign and concluded that the big tech companies must not be allowed to expand exponentially, without constraint or proper regulatory oversight.

The report is no doubt another reason to better legislate the Internet. Practically though, it may be difficult to implement: there is no regulatory body yet that has the authority to legislate big tech companies globally nor is there any willingness to do so as the differences in Internet laws between European, North-American, Latin-American, Asian and African countries clearly show. It is thus possible that each country wanting to address personal data protection will enact its own legislation, with varying abilities to impose its decisions in the country where big tech companies are located.

In the coming years and even decades, it will become increasingly important for organizations (Controllers) to implement surveillance programs, either internal or external, in order to avoid getting entangled in a legal quagmire originating from a country other than the one(s) where the organization is established.

WHO WE ARE

LegIT-Team is composed of legal and IT experts and specializes in providing GDPR compliance services to organizations. Services include:

  • Organizational review
  • Identification of the processes and procedures to improve or create
  • Identification of the short and long term priorities and resources to implement
  • Full management and implementation of the GDPR compliance requirements

Please contact us at info.legit-team.com to see how we can help you navigate and maintain your organization in compliance with the new Regulation.