Tag: GDPR compliance

  • GDPR: How to Handle a Data Breach

    Photo by Christoph Scholz from Flickr (Creative Commons License)

    Every company that sends commercial emails to people who reside in the EU or process their data has to comply with the new privacy law, the General Data Protection Regulation (GDPR). This law has specific rules about how companies have to respond when a data breach occurs. It’s so much better than the current rules in the U.S.

    Report the Breach to Supervisor within 72 Hours

    When a data breach occurs, the employee must report the breach to their supervisory authority without undue delay, and where feasible, within 72 hours of learning of the breach. This notice must include the likely consequences of the breach and the measures the company is taking to mitigate the potential adverse effects.

    The only exception to this rule is if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The company doesn’t have to report the breach if it’s will not likely cause harm to those impacted.

    Report the Breach to Consumers

    In addition to reporting the breach up the chain of command, the company, without undue delay, must notify the people’s whose data was compromised if the breach is likely to result in a high risk to their rights and freedoms. The law doesn’t specify a number of days or a rubric to determine what is notification “without undue delay.”

    Companies should notify the effected persons unless it would require a disproportionate effort. In that case, notification may be made by public communication.

    There is an exception to this requirement. The company does not have to disclose that the data breach occurred if the personal data would be unintelligible (e.g. encrypted) to whomever stole it or if the risks have been sufficiently mitigated that adverse results are unlikely to occur.

    These new requirements are fantastic. These will hopefully eliminate the problem of companies waiting weeks or months to disclose to impacted consumers that their personal data was hacked.

    You can learn more about this aspect of the GDPR here:

    Remember, if you are subject to the GDPR, you must comply with this law by May 25, 2018 when it goes into effect.

    If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

    You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

  • GDPR: Protecting Personal Data

    Image by Descrier from Flickr (Creative Commons License)

    The General Data Protection Regulation (GDPR) is the new privacy law that goes into effect on May 25, 2018. Every company that sends commercial email to the European Union must comply with it, even if you’re not located in the EU. The purpose of this law is to obtain consent before using a person’s personal data and to adequately protect it.

    Protection by Design and Default

    The GDPR requires that you take adequate precautions to protect the personal information entrusted to you. The law does not specify exactly what you must do protect this data beyond the requirement that you take the appropriate technical and organizational measures considering the cost, available technology, and why you are processing individuals’ data. The level of security should correlate to the level of risk related to the nature of the data and what you’re doing with it. Additionally, you should only process the necessary data to fulfill your purpose for doing so.

    Another requirement of GDPR is that the people who have access to the data subjects’ information are only permitted to process it per the data controller’s instructions. This is a rule that every organization should have: only those who need access to the data subject’s information should have it, and it should be limited to only for the tasks for which they need it.

    You can learn more about these requirements here:

    Maintain a Records of Processing Activities

    The GDPR requires certain companies to maintain a record of all their processing activities. These companies fall into one of two categories:

    1. Companies that employ 250 or more persons.
    2. Companies whose work with data subjects’ information presents a high risk to the data subjects’ rights, or the companies process data that falls into one of the following special categories:
    • Racial or ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Trade-union membership
    • Genetic data
    • Biometric data for the purpose of uniquely identifying a natural person
    • Data concerning health
    • Data concerning a natural person’s sex life or sexual orientation

    As a company with no employees (just me running this show) and the only information people give me are their email address and name, I don’t have to maintain this record. If I did, it would only be a list of newsletters I sent and the service I use keeps my list protected behind a password.

    If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

    You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

  • GDPR: Full Disclosure Required

    «Via sicura» by Falk Lademann from Flickr (Creative Commons License)

    If you’ve been following this blog, you know I’m all about preparing for the General Data Protection Regulation (GDPR) as it applies to content marketing. This rule applies to every company that sends commercial emails to anyone in the European Union. (If you don’t know where everyone on your list is located, assume at least one of them lives in the EU.) We’ve already talked about how, under this law, when you want to add a person to your email list, you must get their specific informed consent and you must be able to prove that you obtained their consent to be on your list.

    The GDPR requires, when you obtain this consent, to provide the person (aka data subject) with the following information:

    • The identity and contact information of the controller of the data subject’s information or their representative;
    • The contact information for the data protection officer (if applicable);
    • Your purpose for processing the data subject’s information and legal basis for doing so;
    • The period of time the data will be stored;
    • The data subject’s right to request erasure or corrections of their data or to restrict the processing of their data;
    • The data subject’s right to withdraw their consent;
    • The data subject’s right to lodge a complaint with the supervisory authority; and
    • Whether the data subject giving their information fulfills a statutory or contractual obligation.

    If you want to process the subject’s data for another purpose, you must tell the person in advance, and when a person’s data is processed for direct marketing purposes, the data subject has the right to object at any time.

    At the first reading of these requirements, my first thought was that the signage at conferences where vendors collect business cards would have to become much more complicated to comply with GDPR. I thought about how this firm will comply with these requirements. People voluntarily add themselves to my email, so I don’t know where they live. I will be adding double opt-in consent for my email list, and I believe the most effective way to comply with these requirements is to include this information in the confirmatory email.

    You can hear more about these requirements here:

    We have to comply with these rules by May 25, 2018 when this new rule goes into effect.

    If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

    You can also connect with me on TwitterFacebookYouTube, or LinkedIn.