GDPRsimple

The right of access gives the individual the ability to learn whether his or her personal data are being processed.  If an individual’s personal data are being processed, the individual has the ability to obtain the following information:

• The purposes of the processing;
• The categories of personal data being processed;
• The recipients or categories of recipients to whom the personal data have been or will be disclosed;
• How long the personal data will be stored (or the criteria by which that time period is determined);
• Where the personal data are not collected from the individual, the source of the personal data
• The nature of any automated decision-making, including profiling, applied to the personal data
• Where personal data are transferred to a third country or to an international organization, the appropriate safeguards applicable to the transfer.

In addition, the individual has the ability to take remedial actions:

• Request rectification or correction of his or her personal data
• Request erasure of his or her personal data
• Request restriction of processing of his or her personal data or object to such processing
• Lodge a complaint with a supervisory authority

As mentioned above, the individual is to be provided a copy of the personal data being processed unless it adversely affects the rights and freedoms of others.  A reasonable fee based on administrative costs may be charged if any additional copies are requested by the individual.  Where the request is made by electronic means, the response should be provided in a commonly used electronic form unless the individual requests otherwise.

This blog is the sixth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to rectification?

As was discussed in an earlier blog, a “website” privacy notice is an amalgam of “individual” and “third-party” privacy notices, and it is posted by an organization on its website so interested individuals can ascertain what an organization’s privacy practices are and  so visitors to the website can determine what personal data are collected when individuals visit the website.   The notice sets forth the purposes for which the organization processes personal data.  If the purposes for the processing expand or change, then a revised privacy notice needs to be posted on the website.

In addition to the purposes of the processing, the “website” privacy notice should contain:

• The name and contact details of your organization
• The lawful basis for the processing, and if consent is the lawful basis, the right to withdraw consent
• If legitimate interest is the lawful basis for the processing, the legitimate interests for the processing
• The categories of the personal data obtained
• If the personal data are shared with others, and the identity of the recipients or the categories of recipients of the personal data
• If personal data are transferred to third countries or international organizations, the identity of those countries or organizations and what safeguards are used when personal data are transferred outside the EU
• The retention periods for the personal data
• The rights available to individuals, i.e. the rights of access and to rectification, erasure, restriction, portability, object and lodge a lodge a complaint with a supervisory authority
• The source of the personal data
• If individuals are under a statutory or contractual obligation to provide the personal data and the consequences for failure to do so
• If automated decision-making, including profiling, is involved in the processing, what type it is and what the effect of such processing could be

This blog is the fifth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right of access?

As was discussed in an earlier blog, a “third-party” privacy notice is one where the personal data have not been obtained from the individual. As in an “individual” privacy notice, the purpose of the processing must be included in the “third-party” notice, and if there is further processing of the personal data that is different from the purpose for which the personal data originally were obtained, then a new “third-party” privacy notice, with information on that further processing, needs to be provided to the individual. 

Like the “individual” privacy notice, the “third-party” privacy notice also must contain:

• The name and contact details of your organization
• The lawful basis for the processing (link), and if consent is the lawful basis, the right to withdraw consent
• The legitimate interests for the processing (link)
• If the personal data are shared with others, and the identity of the recipients or the categories of recipients of the personal data
• If personal data are transferred to third countries or international organizations, the identity of those countries or organizations and what safeguards are used when personal data are transferred outside the EU
• The retention periods for the personal data
• The rights available to individuals, i.e. the rights of access and to rectification, erasure, restriction, portability, object and lodge a lodge a complaint with a supervisory authority
• If automated decision-making, including profiling, is involved in the processing, what type it is and what the effect of such processing could be

Unlike the “individual” privacy notice, the “third-party” privacy notice also must contain:

• The categories of the personal data obtained
• The source of the personal data

GDPRsimple contains a template that helps an SME generate a “third-party” privacy notice.  That template contains the standard information that needs to be in a “third-party” privacy notice and has several blanks which are completed by selecting from drop down boxes or Yes/No answers.  By using this template appropriate for the source of the personal data and the way the privacy notice is provided to the individual, the SME is able to generate a privacy notice that accurately reflects the source of the personal data and its specific business practices. 

This blog is the fourth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  The right of information – What information should be in an “website” privacy notice?

As I wrote in a blog last week, Zoom meetings now require a password.  In that blog, I wondered what was causing Zoom to add this requirement at this time.  I speculated it could be a new security incident but couldn’t find any evidence of such an occurrence.  Now we know the reason was Zoom’s May 7^th letter agreement with the New York Attorney General.  That agreement requires Zoom to increase its privacy controls by allowing hosts to:

• Control access to their video conferences by requiring by default a password or waiting room before accessing a Zoom meeting;
• Control access to private messages in a Zoom chat;
• Control access to email domains in a Zoom directory;
• Control who can share screens;
• Limit participants in a Zoom meeting to specific email domains; and
• Limit participants with accounts to the extent applicable.

Furthermore, the agreement requires Zoom to implement and maintain a comprehensive information security program that includes the following administrative, technical and physical safeguards:

• Designation of employee(s) to coordinate and be accountable for the information security program;
• Identification of material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction or other compromises of such information, and assessment of the sufficiency of any safeguards in place to control these risks;
• Design and implementation of reasonable safeguards to control the risks identified through the conduct of a risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems and procedures;
• Design and implementation of a security code review process to identify and remediate common security vulnerabilities; and
• Evaluation and adjustment of the information security program in light of the results of the required testing or monitoring.

The agreement also requires Zoom to engage in the following additional security practices:

• Employment of reasonable encryption and security protocols, including encrypting all personal information at rest in persistent storage on its cloud servers and encrypting all personal information in transit on the Zoom app and Zoom software;
• Development and maintenance of reasonable procedures to address credential stuffing attacks;
• Adherence to industry standards for preserving user security when bypassing operating security system measures; and
• Continuing to operate a vulnerability management program to address known vulnerabilities and have reasonable safeguards to discover and fix new vulnerabilities.

The entire letter agreement between Zoom and the New York Attorney General can be found here.  In anticipation of the announcement of its agreement with the New York Attorney General, on April 27^th Zoom released Zoom 5.0 which delivers

• AES 256-bit GCM encryption
• Report a User feature
• New encryption icon
• Enhanced data center information
• Enhancements to ending/leaving meetings

Zoom’s blog announcing these and other security functionalities can be found here.

As was discussed in the last blog, an “individual” privacy notice is one that is provided by the controller to the individual at the time the personal data relating to the individual are obtained.  The notice sets forth the purposes of the processing.  If there is further processing of the personal data that is different from the purpose for which the personal data originally were obtained, then a new “individual” privacy notice, with information on that further processing, needs to be provided to the individual prior to that further processing.

Other information that should be in an “individual” privacy notice are:

• The name and contact details of your organization
• The lawful basis for the processing, and if consent is the lawful basis, the right to withdraw consent
• The legitimate interests for the processing
• If the personal data are shared with others, the identity of the recipients or the categories of recipients of the personal data
• If personal data are transferred to third countries or international organizations, the identity of those countries or organizations and what safeguards are used when personal data are transferred outside the EU
• The retention periods for the personal data
• The rights available to individuals, i.e. the rights of access and to rectification, erasure, restriction, portability, objection and lodge a lodge a complaint with a supervisory authority
• If individuals are under a statutory or contractual obligation to provide the personal data and the consequences for failure to do so
• If automated decision-making, including profiling, is involved in the processing, what type it is and what the effect of such processing could be

GDPRsimple contains a template that helps an SME generate an “individual” privacy notice.  That template contains the standard information that needs to be in an “individual” privacy notice and has several blanks which are completed by selecting from drop down boxes or Yes/No answers.  By using this template appropriate for the source of the personal data and the way the privacy notice is provided to the individual, the SME is able to generate a privacy notice that accurately reflects the source of the personal data and its specific business practices. 

This blog is the third in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  The right of information – What information should be in an “third-party” privacy notice?

Tuesday evening Zoom sent an email advising that starting May 9^th it is requiring all customers to use passwords.  If participants join by clicking a link with a password embedded (a practice I recommend against for reasons mentioned in my earlier blog), there’s no change in how a participant joins a meeting.  If a participant joins by manually entering a Meeting ID, they will need to enter a password to join a meeting.

In an earlier blog, I had recommended using per meeting IDs to address the Zoombombing problem.  Zoom’s password requirement caused me to wonder if there had been a new Zoom security development.  A search did not uncover anything new I could specifically relate to the password requirement, but c⎮net’s April 28^th  timeline of every security issue uncovered sheds light on why such a requirement is a good idea. 

As mentioned in the previous blog, the right to information (Articles 13 and 14 of the GDPR) requires the controller to provide to the individual certain information when personal data are collected from the individual and are obtained from other sources. The documents, either printed or electronic, by which this information is provided can be broken down into three types:

• Individual
• Third-party
• Website

This breakdown is determined either by the source of the personal data (from the individual or a third-party) or how the privacy notice is provided to the individual (directly or by means of a website). 

Article 13 of the GDPR sets forth what information is to be provided to the individual at the time the personal data relating to the individual are obtained.  This is called an “individual” privacy notice.    What needs to be in an “individual” privacy notice will be in the next blog.

Article 14 of the GDPR sets forth what information is to be provided to the individual where the personal data have not been obtained from the individual.  This is called a “third-party” privacy notice, and it should be provided to the individual:

• within a reasonable period after obtaining the personal data but no longer than within one month,
• if the personal data are to be used for communication with the individual, no later than the time of the first communication with the individual,
• if the personal data are to be disclosed to another recipient, no later than when the personal data are first disclosed.

If providing the “third-party” privacy notice proves impossible or would involve disproportionate effort, then it does not have to be provided. What needs to be in a “third-party” privacy notice will be in a future blog.

If there is further processing (link) of the personal data that is different from the purpose for which the personal data originally were obtained, then a new privacy notice, either an “individual” or a “third-party” privacy notice, with information on that further processing needs to be provided to the individual prior to that further processing. If the individual already has the information to be provided in an “individual” or a “third-party” privacy notice, then the “individual” or “third-party” privacy notice does not need to be provided. 

In general, a “website” privacy notice is an amalgam of “individual” and “third-party” privacy notices, and it is posted by an organization on its website so interested individuals can ascertain what an organization’s privacy practices are and  so visitors to the website can determine what personal data are collected when individuals visit the website.

GDPRsimple contains templates that help SMEs generate each of these three types of privacy notices. Each template contains the standard information that needs to be in each type of privacy notice and has several blanks which are completed by selecting from drop down boxes or Yes/No answers.  By using the template appropriate for the source of the personal data and the way the privacy notice is provided to the individual, the SME is able to generate a privacy notice that accurately reflects its business practices.  More detail about each template is provided in the blogs on “individual,” “third party” and “website” privacy notices.   

This blog is the second in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  The right of information – What information should be in an “individual” privacy notice?

Last week I wrote a blog about how the UK and the Irish regulators are being more lenient if you need more time to respond to requests under the GDPR.  That blog did not describe or explain those requests.  As mentioned in last Friday’s blog on GDPR terminology, there are eight individual rights set forth in the GDPR.  Each of these eight rights will be the subject of its own blog in the next several weeks.  The purpose of today’s blog is to introduce you to each of these individual rights:

• The right to information (Articles 13 and 14 requires the controller to provide to the individual certain information when personal data are collected from him or her and from third parties concerning him or her) 
• The right of access (Article 15 requires the controller to tell the individual whether personal data concerning him or her are being processed and if it is being processed, to give access to that personal data and certain other specified information)
• The right to rectification (Article 16 requires correction of inaccurate and incomplete personal data)
• The right to erasure (the right to be forgotten) (Article 17 requires the controller to erase personal data when certain circumstances exist)
• The right of restriction (Article 18 requires the controller to limit processing when one or more of certain conditions exist)
• The right to data portability (Article 20 requires the controller to give the individual personal data concerning him or her in a specified format under certain circumstances)
• The right to object (Article 21 requires the controller to no longer process personal data concerning him or her when the individual objects on certain specified grounds)
• The right not to be subject to automated decision-making, including profiling (Article 22 requires this right when an automated decision produces legal effects concerning the individual or similarly significantly affects the individual)

As mentioned in last week’s blog, for the rights set forth in Articles 15 to 22, the controller needs to identify the individual making the request and should inform the individual of the action it has taken on his or her request within 30 days.  A two-month extension of the 30 days may be obtained for complex or numerous requests if the controller notifies the individual of the extension within one month of receiving the request.  Neither the UK nor the Irish regulator will penalize organizations that are unable to respond to these requests within the time limit set by the GDPR because of COVID-19.  A request made by electronic means must be responded to by electronic means unless the individual requests otherwise.

The controller should inform the individual within one month of the reasons it is not taking action on an individual’s request and of the possibility of lodging a complaint with a supervisory authority, and information provided and actions taken under Articles 13 through 22 must be done free of charge.  If the requests are manifestly unfounded or excessive, particularly because they are repetitive, then the controller may charge a reasonable fee or refuse to act on the request. 

The controller must communicate the actions taken under Articles 16 to 18 to each recipient to whom the personal data have been disclosed unless it is impossible or involves disproportionate effort.  The controller must inform the individual about those recipients if the individual so requests.

There are different requirements for different individual rights.  Keeping these distinctions straight can seem overwhelming.  Not to worry!  GDPRsimple has an Individual Rights Request Manager that helps SMEs handle requests.  Built into the Individual Rights Request Manager are the GDPR specific and general requirements for each type of request so it is easy for SMEs to comply with these requirements as each request is handled.

This blog is the first in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  The right of information – What types of privacy notices are there?

Yesterday I wrote a blog about how the UK and the Irish regulators are being more lenient if you need more time to respond to requests under the GDPR.  If you don’t know anything about those requests, that blog didn’t enlighten you.   There are eight individual rights set forth in the GDPR.  Seven of these rights are subject to the time limitations discussed in yesterday’s blog.  Each of those eight rights will be the subject of its own blog in the next several weeks.  The purpose of today’s blog is to introduce you to the jargon used in the GDPR so when you read the blogs about the individual rights in the GDPR, you’ll understand the terminology.

The GDPR uses many legal, compliance, regulator, jargon-heavy terms.  It is hard to explain what the GDPR says without giving you a dictionary to define some of these terms. You may say “Just use plain English!”  But in the following cases there just aren’t plain English substitutes for these terms.  So, where necessary, the GDPR terms will be used with links back to this blog to remind you what these terms mean.

The GDPR applies to “personal data.” The term “personal data” means any information relating to an identified or identifiable natural person.  An “identifiable natural person” means one who can be identified, directly or indirectly, by reference to an identifier (e.g. name, identification number).  In these blogs, this natural person is going to be referred to as an “individual.”  A less “formal” term is being used to help you navigate.

The GDPR applies to the “processing” of “personal data.”  “Processing” means any operation or set of operations which is performed on personal data or sets of personal data (e.g. use, erasure, destruction).

The types of businesses and individuals that “process” “personal data” are “controllers,” “processors,” and “third parties.”  A “controller” determines, alone or jointly with others, the purposes and means of the “processing” of “personal data.”  A “processor” “processes” “personal data” on behalf of the “controller.”  A “third party,” under direct authority of the “controller” or “processor,” is authorized to “process” “personal data.”

How does this apply to you as a small or medium size enterprise (SME)?  If you process personal data, you can be either a controller or a processor or a third party depending on whether you determine how the personal data is processed, you process the personal data on behalf of the controller, or you have the authority from the controller or the processor to process the personal data.

This blog is the first in a series of blogs that will explain, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  What types of individual rights are there under the GDPR?