GDPRsimple

Last Friday, a blog I wrote recommended using Zoom’s Waiting Room as a way to avoid Zoombombing.  A security report issued last Friday found a security issue with Zoom’s Waiting Room and intends to publish details of the vulnerability once Zoom has had an opportunity to address the issue.  The report recommends using passwords instead, as my blog last Friday also recommended, and which Zoom enabled “on” starting yesterday, as I mentioned in another blog last Friday.

Starting March 30th, we at GDPRsimple started to document the situation regarding Zoom’s privacy and security concerns. Come here for specific updates:

Zoom-ing Privacy Concerns

Zoombombing Your Friday Afternoon….

We just keep Zooming to you with Updates

Avoid the Waiting Room (for now or forever?)

Passwords & Zoom….

When the NY AG comes a knocking … Zoom responds to privacy and security concerns. What are they? Is it enough?

The Zoom Encryption Update (?)

Earlier today, I wrote a blog about how to use passwords instead of links to access Zoom meetings and about how to enable Waiting Room (in addition to some other security features). This afternoon, Zoom sent an email to its customers about “Zoom Meetings Security Enhancements” that are coming April 5th . Zoom is enabling all of the meeting passwords “on” and is turning Waiting Room on by default. The email customers received is below.

No sooner had I mentioned Zoom as an application used for video and audio conferencing that was very popular with those of us working remotely and encouraged reading its privacy policy before using it, than problems with its privacy policy surfaced.  (See my blog).  Now there are problems with “Zoombombing,” the crashing of meetings on Zoom with obscenities and nudity.  Several articles have been written on the ways to keep “Zoombombers” away:

• Use Zoom? These 5 safety tips can keep the Zoombombing hackers away
• Zoombombing: What it is and how to prevent it in Zoom video chat
• Here Are 8 Quick Tips To Keep You From Getting “Zoombombed” By Trolls

Some of these safety tips are:

1. Don’t click on a link in the Zoom invite because it could be a phish.  Instead, invite people to a Zoom meeting with a meeting ID and password which are used when logging into http://www.zoom.us.
2. Don’t use a Personal Meeting ID for meetings, but instead use a per meeting ID exclusive to a single meeting.
3. Change the screen share options.  Go to Settings, after enabling Screen Sharing, instruct Zoom to only let the Host share the screen.
4. Use Waiting Rooms.  Go to Settings, go to In Meeting, scroll all the way to the bottom, enable Waiting Room.
5. Disable other options in Settings:  Join before the host, Autosaving chats, File transfer, Annotation, and Remote control. 

Last week I wrote a blog about some of the steps you need to take if you have started using technologies you haven’t used before to assist in working remotely.  One of the steps discussed was looking at the privacy policies posted by each technology on its website to make sure you are comfortable with its practices before you start using it.  One of the technologies we discussed in that blog was Zoom, a free (and paid) application that is used for video and audio conferencing.  This week, several articles have been written about Zoom and its privacy practices:

• The New York Times writes that the New York Attorney General is looking into Zoom’s privacy practices.  According to the New York Times, Zoom has received a letter from the New York AG’s office “asking what, if any, new security measures the company has put in place to handle increased traffic on its network’ because the AG’s office is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity  of data being passed through its network”.  The New York Times article can be found here.  (Registration may be required.)
• The Intercept reported that Zoom “computer audio” meetings aren’t end-to-end encrypted as advertised.  With end-to-end encryption Zoom “computer audio” meetings couldn’t be accessed by Zoom employees because they don’t have the encryption keys.  It turns out, however, according to The Intercept, that Zoom meetings are transport encrypted which can be accessed by Zoom employees.  The Intercept article can be found here.
• Business Insider writes that a class action lawsuit has been filed against Zoom in California based on Zoom’s practice of sharing personal information with Facebook and not stating in its privacy policy that it did so.  The Business Insider article can be found here.

Privacy is a buzz word today. We were before the trend. Our founder Lynn is a world-renowned privacy expert, and she has been at this since before this was a fashionable trend.

She started GDPRsimple for SMBs to get ahead of the curve on privacy and data protection. And she has talked far and wide about the international privacy laws.

Come along with us as we write about privacy and data protection. From Privacy 101 to the hot topics of the days. We promise to make this interesting (and educational).

With Covid19, large numbers of employees are working remotely, not going into the office, and are rapidly adopting technologies that they hadn’t used before in order to be able to continue to service their customers. 

We at GDPRsimple have always worked remotely because for part of the year I live in a different state than my co-founder.  This is how we know that there are several key steps that you need to do immediately to protect your business from regulatory criticism: 

1. Make a list of the new technological solutions – known as third party service providers – that you and your entire team are using.  Ideally, steps 2-4 would have been done before you started using these technologies.  However, these recommendations recognize that the exigencies of getting your business up and running remotely on short notice may not have allowed for such an orderly process.   

Many organizations now are using far more technologies than they previously used. As a result of working remotely, many workforces now need to frequently use video and screensharing.  Examples of these technologies are Zoom, Slack and Crowdcast.  Depending on how you use them, each of these technologies may collect information about you, your employees, and any information you may share about your users and customers. 

• Now take that list and bucket it into two groups.  (There are more groups beyond this such as cloud, but we will focus on these for now as they relate to the changes in work due to Covid19): 

Secure: These are technologies that are built to be protective of personal data.  One of the value propositions for them has to do with the fact that they securely send, receive and store information via the Cloud.  Examples are DropBox and Box for file storage and DocuSign for electronic document signing. 

Customer Service: There are other technologies that are used to help teams to communicate with and about customers – from segmentation to acquisition to retention and servicing.  These platforms probably have been added to your technological suite as a result of Covid19 and could be anything from videoconferencing and screensharing (e.g. Zoom, GoogleHangout, Skype) to messaging (Slack) to data collection, sorting, and integration (AirTable).   

No personal data should be shared on these platforms.  Do not send individual customer identification numbers or bank account numbers via any of these platforms.  Instead, convey personal information by phone or by a means of secure transport (e.g. secure email or DropBox or Box). 

• Now that you have your two buckets, look at the privacy policies that these organizations post on their own websites.   

You – as a leader of your team, department, company – need to know how each of those companies use, disclose and share personal data collected on their platforms.  In particular, you will want to make sure that the Servicing Customer platforms do not use, disclose or share the personal data other than to provide the service you have hired them to provide (e.g. video conferencing or screen sharing).   

• After educating yourself, update your own privacy policy. 

We recommend you use GDPRsimple to help update your privacy policy.  GDPRsimple contains logic driven document generators to help you and your company keep these policies up-to-date.  Even more, you can keep a history of the different versions of the privacy policy, and you can track all of them automatically within GDPRsimple. 

In the sprint to implement GDPR by May 2018, many organizations fell into the expedient practice of either using canned privacy policies or copying their competitor’s privacy policy as their own.  These “templates” a) do not take into account the individual choices of your business, and b) are out-of-date now because you are using more technology platforms than before because of Covid19.  Indeed, recently the regulator for the UK fined a pharmacy £275,000 for, among other things, merely copying National Pharmacy Association policy templates – read more here. 

We at GDPRsimple built a platform for you – the CEO, the team leader, the entrepreneur.  The GDPR is complicated, and we wanted to simplify it for you.  Contact us today at info@gdprsimple.com to learn more. 

With the onset of Covid-19, we at GDPRsimple are putting together privacy and data protection resources below.

Now that your entire company is working remotely, what do you need to do differently for the GDPR?

Zoom Specific Updates

Data Commissioner Individual Rights Requests Expectations during Covid-19

Hold up Hungary, Individual Rights still exist!

Check back to learn more!

A New Year’s Resolution for SMEs:  If you haven’t put the GDPR into practice yet, you should start now!

By Lynn Goldstein, Founder of GDPRsimple

You keep saying to yourself:  “GDPR, what is it?  I know that we needs to do something about the GDPR.”  Or you are saying:  “It’s our 2020 goal to do more to implement GDPR?”  Or are you responding to biz dev and RFP opportunities and know that your response isn’t up to snuff?  Not a problem, start now!

GDPR expanded the rights provided to individuals in the EU Directive and created several entirely new rights that regulators have started enforcing against SMEs.   

Under the GDPR, individuals have the right to:

• Be informed (e.g. told what personal data about them are collected and how their personal data are used)
• Access their personal data
• Rectify their personal data if it is inaccurate or incomplete
• Erase personal data when certain grounds apply (to be explained in a subsequent blog)
• Restrict processing of personal data when certain grounds apply (to be explained in a subsequent blog)
• Port data (specifically when data is processed based on consent or contract and is carried out by automated means)
• Object to processing of personal data concerning them under certain circumstances (to be explained in a subsequent blog)
• Refuse to be subject to automated decision-making, including profiling, unless an exception applies

Each of these rights will be explained in more detail in subsequent blogs, but the important points are:

• these rights create new responsibilities for you as businesses, especially if you process (e.g. use) personal data,
• not being able to comply with these rights can cause individuals to complain to their regulators, and
• you must reply to requests to exercise these rights requests fast and accurately.

Most SMEs think they are too small for anyone – customers, employees, regulators – to notice if they don’t comply.  That is not the situation under the GDPR.  Each regulator must “handle” every complaint lodged with it by an individual.  So, if an SME does not respond to an individual right exercised by an individual, individuals can file complaints with the regulator of the country where the individual lives, where the individual works, or where the SME’s failure to respond took place.  The filing of a complaint could lead the regulator to look into your business and assess fines.  How much could those fines be?  Up to 4% of your total worldwide annual turnover (gross revenue).

Sure, you may be saying to yourself that since it takes time for complaints filed with regulators to be investigated, you don’t need to worry about it just yet.  Not the case, we hate to say!  The results of these investigations are just starting to be seen, and they are coming fast and furious.  The Irish regulator addressed and resolved over 6,000 complaints in 2019!  Individuals are exercising their rights.  The German Bavarian state regulator announced it is auditing the implementation of the GDPR in SMEs. 

Other regulators already have investigated and fined SMEs!  The following are just a few examples:

• In November, the French regulator imposed a €500,000 fine on a company of less than 100 employees that was the subject of a complaint from an individual for five violations of the GDPR: failure to process data which are adequate, relevant and limited to what is necessary for the purposes for which they are processed; failure to inform the individuals; failure to respect the right to object; failure to cooperate with the supervisory authority; and failure to provide the appropriate safeguards regarding the transfer of personal data outside the EU. 
• In October, the Polish regulator imposed a fine of approximately €47,000 on a marketing industry company for failure to implement appropriate technical and organizational measures to enable easy and effective withdrawal of consent to the processing of personal data and to exercise the right to request the immediate deletion of personal data. 
• In December, the Belgian regulator imposed a fine of €15,000 on an SME operating a legal information website with approximately 35,000 unique visitors a month because insufficient information was provided about cookies deployed on the website, because the appropriate type of consent was not obtained for certain types of cookies and because there was no easy way to withdraw consent.   

Many SMEs want to comply with the GDPR but don’t know how.  This blog is the first in a series of blogs that will explain, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation. 

We at GDPRsimple put together a series of posts on what is the GDPR. Please keep coming back to this page to see new posts and updates to old posts as information becomes available.

What’s with all that jargon in the GDPR?

What types of individual rights are there under the GDPR?

The right of information – What types of privacy notices are there?

The right of information – What information should be in an “individual” privacy notice?

The right of information – What information should be in a “third-party” privacy notice?

The right of information – What information should be in a “website” privacy notice?

The right of access – What is it?

The right to rectification – What is rectification?

The right of erasure – What does it mean to get “erased”?

The right of restriction – What is the right to restrict processing?

The right to data portability – What is this right and data portability?

The right to object – What is this right and how does it work?

The right not to be subject to automated processing – what does this mean?

How does the GDPR change individual rights?

How do I keep all these rights straight?  Are there any commonalities between all these rights?

How to break the GDPR into bite sized pieces

What is a “legal basis to process personal data”?

How to get consent from individuals to process their data?

What does it mean for an organization to have a legitimate interest to process personal data?

How to conduct a legitimate interest assessment

What does it mean to use contract as a legal ground for processing personal data?

Do you use a processor to process or are you a processor who processes personal data?

What kind of agreements do you need if you are a processor or use a subprocessor?

What needs to be in the agreement between the controller and the processor?

What is a data breach under the GDPR and what do you do when one happens?

What needs to be in a GDPR personal data breach notification?

Why you should have a Personal Data Breach Policy and what should be in it?

How is security of processing assessed?

Why you should have a Data Protection Policy and a Data Retention and Erasure Policy and what should be in them?

When is a data protection impact assessment required and how is it conducted?

What consultations should occur prior to high-risk processing?

Records of Processing Activities