Step 1: Appointing a Data Protection Officer (“DPO”) or “Pilot”
The CNIL’s methodology first stresses the need for organizations to appoint a leader to pilot governance of data protection within their structure. This person will internally carry out informational, advisory and control tasks. Pending the application of the GDPR in 2018, the CNIL suggests that organizations may appoint a French DPO (Correspondant Informatique et Libertés) now. This will allow them to be one step ahead and better organized to comply with the upcoming GDPR. The CNIL strongly recommends appointing a DPO (with internal relays) who will be in charge of ensuring GDPR compliance, even if the organization is not required to appoint a DPO under the GDPR.
The first step will be completed once organizations have appointed a “pilot” responsible for implementing GDPR compliance measures based on an engagement letter, and have provided that person with human and financial means to perform his/her tasks.
Step 2: Data Mapping
For the second step, organizations are recommended to identify, in detail, their data processing activities. They may do so by preparing and maintaining a register of data processing activities. The CNIL’s methodology notes that, under the GDPR, organizations will have to keep full internal documentation of their data processing activities. The CNIL’s methodology proposes a template register.
Organizations may move to the third step if they:
have contacted all the appropriate services and entities that process personal data within their structure;
have established a list of their data processing activities per (main) purpose – not per system or application used – and of the types of personal data processed;
have identified the vendors/data processors involved in each data processing activity; and
know where the data is being transferred and to whom, where it is hosted and for how long it’s retained.
Step 3: Prioritizing Compliance Actions
After preparing the register in the second step, the CNIL’s methodology recommends identifying, for each data processing activity, the actions that will need to be implemented to comply with current and future data protection obligations. This prioritization must be carried out, taking into consideration the risks to the rights and freedoms of the data subjects.
The actions to be implemented will, at a minimum, include:
ensuring that only personal data that is strictly necessary is collected and further processed;
identifying the legal basis for the data processing;
reviewing existing privacy notices to comply with the GDPR notice requirements;
verifying that all vendors/data processors are aware of their new obligations and responsibilities under the GDPR and that appropriate privacy clauses are inserted in services agreements;
defining a procedure for handling data subjects’ requests for exercising their data protection rights; and
verifying the data security measures implemented.
The third step will be completed once organizations have implemented measures to protect data subjects concerned with their data processing activities and have identified those data processing activities that involve a privacy risk.
Step 4: Managing Risks
If, during the previous step, organizations have identified data processing activities that may pose high risks to the rights and freedoms of data subjects, they will need to carry out a privacy impact assessment (“PIA”) for each of these data processing activities. The CNIL’s methodology refers to the CNIL’s 2015 PIA guides as a tool to carry out PIAs under the GDPR.
The fourth step will be completed once organizations have implemented measures to respond to the main risks and threats to data subjects’ privacy.
Step 5: Organizing Internal Processes
Under the fifth step, organizations must implement internal procedures to guarantee data protection at any time, taking into account all events that may occur during the lifetime of a data processing activity (such as a data security breach, management of data subjects’ requests, changes to the data collected, change in vendors, etc.). In particular, this implies the following actions:
taking into account data protection principles when designing an application or a data processing activity;
increasing employee awareness and ensuring that information is escalated to relevant employees or directors, in particular by developing a training and communications plan;
handling data subjects’ complaints and requests for exercising their data protection rights; and
anticipating data security breaches by ensuring that, in some cases, the breach will be notified to the data protection authority within 72 hours, and without undue delay, to data subjects affected.
An online notification service will be available on the CNIL’s website in May 2018. Pending that service, organizations may consult, by way of example, the French data breach notification form used by telecommunications providers to notify their breaches.
Organizations may only move to the final step once (1) best practices for data protection are implemented by the services in charge of implementing data processing activities, and (2) personnel know what to do and whom to contact in the event of a data incident.
Step 6: Keeping Documentation on Compliance Measures
For the final step, organizations must compile and group all necessary documentation together. The actions and documents produced at each step must be regularly re-examined and updated to ensure continued data protection. In particular, this documentation will need to include:
the register of data processing activities (for data controllers) or the categories of data processing activities (for data processors);
PIAs for high risk data processing;
data transfer mechanisms (e.g., EU Model Clauses, Binding Corporate Rules and certifications, where applicable);
consent forms, as well as evidence that data subjects have given their consent where consent is the legal basis for the data processing;
procedures implemented for the exercise of the data subjects’ data protection rights;
contracts with vendors/data processors; and
internal procedures in the event of a data breach.
The sixth step will be completed once the documentation demonstrates compliance with all of the GDPR obligations.
The CNIL will adapt and complete the above tools when relevant GDPR guidelines are published by the Article 29 Working Party.
The Article 29 Working Party – the group of EU data protection authorities charged with agreeing European-wide guidance on GDPR – has published guidelines on profiling and breach reporting. Guidelines on administrative fines that were adopted earlier this month, will be published soon too.
Consistency across the EU is one of the fundamental drivers of the GDPR and, as the UK member of Article 29 (WP29), we’re either leading or assisting in the development of guidance on some of the main aspects of the law.
For example, the feedback we received from stakeholders on our discussion paper on profiling and automated decision-making, helped us in leading the important discussions that resulted in the final European guidelines.
Similarly, consultation responses to our draft guidance on consent are informing our discussions in Europe too. Once WP29 publishes its guidelines – expected by the end of this year – we can continue refining our own, UK-specific guidance on this.
We’re also playing a central role in drafting Europe-wide guidelines on transparency.
In addition to our work at European level we are continuing to work on the wider suite of ICO guidance, prioritising areas that are not on the WP29 workplan but where we have identified a particular need and we think we can add value for our UK audience.
For example, in response to feedback on our draft consent guidance, we’ve committed to produce guidance on the other lawful bases for processing, including legitimate interests.
We have published draft guidance on contracts between data controllers and processors, and we are currently analysing the feedback we received in order to produce the final version. We will also issue guidance on accountability and documentation, and on children’s data, for consultation.
Have your say regarding Canada's revised personal privacy laws. The Office of the Privacy Commissioner of Canada is lookiing for feedback from the community that will have to comply with these standards.
The Office of the Privacy Commissioner of Canada is looking for your feedback on their draft guidelines for some updates of our privacy laws here in Canada. This is only one area OPC is addressing, but if you are interested in your voice being heard, here's your chance. You can let the Commissioner know your specific thoughts by November 30, 2017.
1. Emphasize key elements
Information provided about the collection, use and disclosure of individuals’ personal information must be readily available in complete form – but to avoid information overload and facilitate understanding by individuals, certain elements warrant greater emphasis or attention in order to obtain meaningful consent.
2. Allow individuals to control the level of detail they get and when
Information must be provided to individuals in manageable and easily-accessible layers and individuals should be able to control how much more detail they wish to obtain, and when.
3. Provide individuals with clear options to say ‘yes’ or ‘no’
Individuals must be provided with easy ‘yes’ or ‘no’ options when it comes to collections, uses or disclosures that are not integral to the product or service they are seeking.
4. Be innovative and creative
Organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used.
5. Consider the consumer’s perspective
Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience(s).
6. Stand ready to demonstrate effectiveness
Organizations, when asked, should be in a position to demonstrate the steps they have taken to test whether their consent processes are indeed user-friendly and understandable from the general perspective of their target audience(s).
7. Make consent a dynamic and ongoing process
Informed consent is an ongoing process that changes as circumstances change; organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process.
Determining the Appropriate Form of Consent
Organizations must generally obtain explicit consent when:
a) The information being collected, used or disclosed is sensitive;
b) The collection, use or disclosure is outside of the reasonable expectations of the individual; and/or,
c) The collection, use or disclosure poses an increased risk of harm to the individual.
Is CASL still being enforced? Did Minister Bains, Minister of Innovation, Science and Economic Development take the knees out of Ian Scott and the CRTC enforcement team when he "indefinitely postponed" the private right of action in June 2017? All quiet on the CASL front...
A piece of legislation as complex as CASL took many years to write. It started in 2004 and the law was passed in 2010. Technology moves at a slightly different pace than government law-makers. Having said that, given what they knew at the time Industry Canada did an amazing job of tackling a very difficult topic.
According to the Web Services Centre, Communications and Marketing Branch, Innovation, Science and Economic Development / Government of Canada - "The Standing Committee on Industry, Science and Technology’s first scheduled meeting for the statutory review of Canada’s Anti-Spam Legislation will be on September 26, 2017." And to be clear that does not mean it is no longer being enforced! It simply means that in accordance with the language of the law it is to be reviewed in 3 years. It is responsible to examine what has worked and what has not.
CASL has, for the most part in our opinion, worked well. We are seeing businesses be far more responsible about what they send to who and strangely enough, business has survived the whole ordeal. Yet there are issues with regard to CASL.
A little more clear direction please...
CASL leaves a lot of issues open to interpretation and application within your industry and your culture. Record keeping for example. We all know how important it is - the onus of proof is always on the sender. We have to prove consent, dates, times, emails sent, working unsubscribe mechanisms (not sure how we prove the unsubscribe mechanism was or was not working on any specific day in the past). The CRTC has repeatedly stated that we are free to interpret how to apply effective record keeping to our situation, but the fact is we could invest a lot of money and resources in setting up a system or process based on our interpretation, only to find it is not acceptable to CRTC during an audit. They say "interpret it as best you can" but it could still end up causing a fine for your organization. We could use some clear guidance on what type of record keeping practices would be acceptable.
As long as we are reviewing CASL, let's look at some of this ambiguous language and put some standards or perameters around them so those who are interested in being compliant can do so. Let's define or at least give some good examples of what is acceptable proof of consent for the various types of consent so we have better guidance for setting up our systems and processes internally.
Keeping up with the Jones (or in our case, the Europeans)
Switching gears for a moment, as we understand it, CASL and PIPEDA were regulations set in order to allow Canadian companies to more easily conduct business in Europe. The gap in regulations could certainly put Canadian companies at a disadvantage. The European Commission put out Directives, but each European country operated by it's own laws within those Directives. And now they have introduced the General Data Protection Regulations (GDPR) which set a whole new global standard for managing people's data, including email addresses. Some legal minds in Europe are recommending a "re-permissioning" of express (or explicit) email consent every 2 years. And - no consent - no email. So customers or prospects who did not grant expilicit consent cannot be emailed. This assumes that a lot changes in a person's life takes place every 2 years, so check in and see if the information you are sending them is still relevant to their lives today. So while in Europe it is express consent re-permissioined eery 2 years, CASL - which most Canadians thought was far too tough - pales in comparison.
CASL states that express consent, if collected using the proper language, has NO time limit. It is for life or until unsubscribed. This assumes everything is the same for the rest of that individual's life. Should this be reviewed as part of the Standing Committee's review of CASL? I would suggest a 5 year "re-permissioning" rule would suffice. So every 5 years a person must confirm they are still interested in the information you send them. This serves them and the company sending as nobody wants to send messages that are not relevant to people who do not even open their emails. Email marketing, despite the way many marketers have treated it, is not a mass marketing tool. More is not better with regard to email marketing. Engaged and relevant is better.
Then there is our B2B clause: Implied Consent - Conspicuously Published.
If the idea of CASL is to reduce the amount of irrelevant email every Canadian recieves, I would say this form of consent creates a huge gap between Canadian business practices and European standards. We are assuming you may be interested in material we want to send you if we can prove your title (role) (proof is likely a screen grab that includes the URL string as well as a date and time stamp) and prove that your email address is publicly displayed without restrictions (same proof applies here), then we can add you to our implied consent list and go ahead and email you. No clear direction has been provided regarding how often this "proof of role and public display" is valid for. For practical purpose we recommend to our clients who rely this form of consent (most do not) that this proof be re-freshed every two years.
On an admittedly small sample size, we are seeing open rates of less than 25% on these types of lists. Is that sufficient? 75% of these people completely ignore the messages yet we keep sending them? Is that not what CASL intended to alter? So we ask, if we are considering the recipient, should this form of consent be allowed under CASL? Are Express consent, implied consent - existing business and non-business relationships and personal relationship good enough when applied to email consent?
The private right of action
Once again switching gears: the infamous and postponed private right of action (PRA). Now here is a prickly issue. The BIG BRANDS lobbied hard through their Industry Associations and pressured Minister Bains into postponing the PRA less than a month before it was scheduled to come into force on July 1, 2017. One can only assume that many of these organizations knew they were not yet compliant with CASL and were concerned if they had to answer to the public. I know the corporate line was "to prevent frivolous lawsuits" but what are they supposed to say? "We're just not ready"?
We saw interest in CASL compliance go from "90 miles an hour" to a dead stop on June 7, 2017. Not just a crawl, a dead stop.
The unintended consequences of the postponement of the PRA was that many perceived that CASL was postponed and they no longer had to be concerned with compliance. We have been stunned by the number of business executives who have said "Oh, we don't have to worry about CASL. It's been put on hold". I wonder how many people will believe the review of CASL staring on September 27th will be further proof that the law is not in force? The potential for mis-communication is huge when there is no communication budget for either Minister Bain's office or the CRTC, at least when it comes to CASL. We have seen no advertising or communication other than the CRTC placing material on their website and issuing press releases that the press seem to ignore - for the most part.
Minister Bain and Steven Harroun must send the market a clear message: CASL is being aggressively enforced and compliance is not optional.
Or has CRTC stopped enforcing until Minister Bain provides the promised assistance for proper enforcement?
CRTC has spent the past year and a half putting MOU's in place with many other countries in anticipation that the private right to action would be a significant enforcment tool for CASL. That disappeared with a stroke of the pen. Are the good folks at CRTC waiting to see what Minister Bain's next move is? Other than the single undertaking with Mr. Halazon, CEO Fined $10,000, it has been "vewy vewy quiet" on the CRTC /CASL front, during a period that we may have reasonably expected several undertakings/violations to be announced. Is there a mexican stand-off between Ian Scott, the new CRTC Commissioner, and Minister Bain?
CRTC is not handing out a ton of fines for violations or undertakings under CASL and the private right of action has been indefinitely postponed, so why bother changing your organization's email practices when targeting Canadian citizens?
There is a person at the other end of every single email you send.
A real person with whom you are attempting to do business. Very likely, this person did not ask for your email messages, and just as likely, they don't really want them. Yet, because it is relatively cheap to do, we just keep sending blasts that are usually "all about us" and why someone should buy from us. One of our staff had the rather unpleasant experience of finding herself on the Old Navy email list and was sent 4+ messages a day for several days in a row. She stayed on for as long as she could stomach this barrage and finally, having been pummeled enough, she unsubscribed. Who is thinking these programs through? From here it looks like a lot of tactics and very little strategy behind these email programs. Email can be a very valuable tool if used at the right time, targeting a relevant message to the right people.
Let's think this through as a good marketer. Maybe life as a marketer is quite simple: every time you touch a customer or prospect, you are giving "chips" or you are using "chips". For the purposes of this discussion let's consider that a "chip" is a measure of goodwill. Every time your brand is put forth through any medium, are you collecting goodwill or spending goodwill? Given you are paying to have that message delivered, I trust you are aiming to generate chips rather than spending them. A welcome email message (one you have clear consent to send and is relevant to the recipient) should generate a chip, whereas an unwelcome one or irrelevant one sent without consent costs you a chip. How are you doing with your current email program in the chip department?
Now let's think it through as an officer or director of the company.
CASL and CRTC's interpretaions have made it clear they plan to hold officers and directors responsible for the actions of their companies - regardless of size.
Meet Mr. Halazon - the CEO of Transformational Capital Corp. (TCC) who on June 12, 2017 entered into an undertaking with the CRTC to "make a monetary payment of $10,000". Mr Halazon. After describing the several ways the law was "allegedly" vilolated (remember this is an undertaking which has no admission of guilt, unlike a violation, under which one is found in violation of the law and charged. Clearly it is better to co-operate with CRTC and enter into an undertaking. The fines are smaller and there is no admission of guilt. So the wording is: "It was also alleged that Mr. Halazon was personally liable for this violation pursuant to section 31 of the Act."
CRTC as stated earlier, has not issued a ton of fines but they have been quite strategic in who they have fined for what. The fine for Mr. Halazon is a clear message to the market to call attention to Section 31 of the Act.
Section 31 of the Canadian Anti Spam Legislation states: Directors, officers, etc., of corporations 31 An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.
Make no mistake, the postponement of the private right of action is not a reason to ignore this law.
CRTC, the Office of the Privacy Commissioner of Canada and the Competition Bureau are condusting audits and fining companies and individuals who break tthe law. Coming into compliance requires some changes in email practices that will result in more goodwill for your brand and less annoyance to your potential customers.
The EU General Data Protection Regulation 2016/679 (GDPR) takes effect May 25, 2018. Organisations are racing to get their houses in order to comply with its strict data protection requirements. When it comes to personal data, individual privacy rights have far-reaching implications at the enterprise level.
The EU General Data Protection Regulation 2016/679 (GDPR) takes effect May 25, 2018. Organisations are racing to get their houses in order to comply with its strict data protection requirements. When it comes to personal data, individual privacy rights have far-reaching implications at the enterprise level. Yet compliance hinges on quality information governance practices when it comes to data processing and management. Under the GDPR, enterprises must be able to demonstrate that they have implemented technical and organisational measures that show they considered and integrated data protection into data processing activities. Implicit in this requirement is that companies must be able to demonstrate they know what information they possess and where they store it.
This task can be daunting. Developing the right data management toolbox is not merely a matter of investing in innovative technologies or relying on third-parties. Rather, it begins with an organisation working with the right internal and external experts to first identifying data location, volume, proliferation and protection status, and then defining policies for sensitive data classifications. Essentially, GDPR compliance is associated with the enforcement of properly developed records retention policies which establish a schedule for various categories of records or data, identify how long the information is to be kept, and provide a comprehensive plan for disposition. A successful records retention schedule (RRS) requires knowledge of the information and data stored by an organisation. The RRS allows an organisation to meet its business needs while ensuring compliance with legal and regulatory requirements and local or industry best practices.
Most organisations have poor information governance practices. The first step in overcoming the usual obstacles is a multi-disciplinary enterprise accountability initiative to develop a framework outlining the controls, metrics, processes, policies, and roles required to manage data. Unfortunately, this is easier said than done.
Fortunately, the GDPR includes two requirements that serve as information governance resources:
1) Article 30: The Record-Keeping Requirement
Article 30 of the GDPR contains record creation, maintenance, and accessibility requirements. The Article obliges organisations to create and maintain record processing activities under their responsibility (“Record”).
Creation and Maintenance
The Record should contain up-to-date information, including:
· identification and contact details of the data controller(s), processor(s), their representative(s), and protection officer;
· the purpose of the processing;
· a description of the categories of data subjects, personal data, and recipients;
· a list of international data transfers and suitable safeguards concerning the protection of personal data;
· where possible, the envisaged maximum retention periods for each data category; and
· where possible, a general description and assessment of the technical and organisational measures ensuring the security of the processing (the pseudonymisation or encryption of personal data, the ability to promptly restore availability and access to personal data in the event of a physical or technical incident, and a process for regularly testing are examples of these measures).
The appropriate supervisory authorities must have the ability to access the Record upon request.
2) Section 4: The Data Protection Officer (DPO)
Under Article 37 of the GDPR, organisations must appoint a DPO if they carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking), processing of special categories of data, or data relating to criminal histories.
The role of the DPO was first established and delineated in the EU by Section 8 of Regulation (EC) 45/2001, which created the requirement that all EU institutions and bodies have a DPO. Articles 24(1)(d) and 26 of the Regulation instituted the DPO's duty to keep a register of processing operations, and Article 25(2) lists the information to be included, mirroring the GDPR's Record requirements. An adept DPO can help manage the Record, allowing it to become an internal monitoring tool offering an overview of all the personal data processing activities of an organisation.
The European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, strengthens data privacy rights for EU citizens and gives regulatory authorities greater powers to take action against companies that breach the law.
The European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, strengthens data privacy rights for EU citizens and gives regulatory authorities greater powers to take action against companies that breach the law.The regulation introduces some tough new penalties of fines of up to 4% of Annual Global Revenue or 20 Million Euros – whichever is higher. Just to put this in context for the Global 2000 (which have revenues between $1.6 Billion and $171.1 Billion according to Forbes), this means fines could potentially amount to between $64 Million and $6.84 Billion.
With this magnitude of enforcement potential, not to mention the reputational damage that comes from serious breaches of personal information, it is important to be ahead of this regulation.
Most companies that are impacted (that’s any entity that touches personal data on EU citizens, even if the entity did not collect that information itself) will have compliance initiatives underway. However, there’s one essential element that should not be overlooked or left until the last minute. And that’s your third party compliance.
Why Third Parties are an Important Point of Focus
The question needs to be asked – into whose hands are you placing your company’s reputation and exposure to significant financial penalty? More often than not, your third parties are your greatest area of risk exposure – for data security, and for regulatory compliance. How well do you know them?
Third parties are often the weakest link in a company’s data security, and are implicated in about 63% of all data breaches. Some of the largest financial penalties for data control failures to date, including those involving Home Depot, Target and AT&T, have been as a consequence of third party actions. These enforcements have already seen costs running into the hundreds of millions of dollars. Now, the GDPR has just raised the stakes even higher.
It’s also useful to look to other extra-territorial regulation and the trends in enforcement that have developed over time. Regulators generally tend to ‘bare their teeth’ and take prominent (often headline-grabbing) actions early. They telegraph (and even state explicitly) what their areas of focus will be. Elizabeth Denham, UK Information Commissioner, for instance, has already stated that the ICO will be looking at investigations that have the largest impact on the privacy rights of individuals, and that technology firms will be in the cross-hairs.
If you look to other regulation, such as the FCPA, the one thing that has been consistent across its history is that the vast majority of enforcements – around 93% - have been due to third party actions. Regulators often focus on the weakest link of compliance as this is where risk exposure is greatest, and more-often than not this has turned out to be third parties.
And finally, despite its elevated risk, third party compliance is too often overlooked or even placed in the ‘too-hard’ basket. With a focus on compliance within the figurative ‘four-walls’ of an enterprise, companies are failing to properly consider the impact of their ‘extended-enterprise’. But, under the GDPR and other regulation, not only do you need to keep your own house in order – you need to be confident in compliance of your third parties’ houses as well.
When it’s potentially many millions to billions of dollars of enforcement fines that your third parties could be exposing you to, it pays to have robust programs in place.
Key Roles and Definitions in the GDPR
The GDPR strengthens data privacy protections for EU citizens in the age of cloud computing, when personal data is collected easily by IT services and government agencies and sometimes used in ways beyond an individual’s knowledge or control. The law was passed by the EU Parliament’s Civil Liberties Committee on April 14, 2016 and takes effect on May 25, 2018, becoming the law of the land in all 29 EU Member States.
Building on earlier legislation, principally as the EU Data Privacy Directive (95/46/ec) which passed in 1995, the GDPR re-establishes an EU citizen’s right to know what personally identifiable information (PII) about them is being collected, why it is being collected, who is using it, and how. The law re-affirms EU citizens’ long-standing right to have their PII deleted (in most cases), data access rights, and establishes new rules for data portability, allowing citizens to request their data from one service provider so it can be transferred to another.
And what is PII? According to the GDPR, it is:
“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
For example, PII could be a database record with a customer’s name, address, and phone number, or it could be as simple as the IP address or MAC address of a consumer’s laptop or smartphone. It could even be a consumer’s post on a social media site about politics, religion, health status, or mood.
Why Third Parties are an Important Point of Focus
Like the EU Data Privacy Directive (95/46/ec), the GDPR defines roles for citizens and organizations working with PII:
A data subject is a citizen whose PII is being collected, stored, or processed; a data subject can be an employee or a client of a person or organization.
A data controller is a person or organization who decides how data is to be stored and processed.
A data processor is a person or organization who operates on or uses that data for business purposes. For example, if a retailer collects customer information, which it shares with a third-party call center, the retailer is the data controller, and the call center is a data processor.
The GDPR also defines a personal data breach, which is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” (Article 4)
How the GDPR Differs from the EU Data Privacy Directive
How is it different from the EU’s earlier data protection law, the Data Privacy Directive? Here are eleven key differences.
A regulation vs. a directive.
As the R in GDPR reminds us, the GDPR is a regulation, not a directive. In the EU, a directive compels member states to establish laws in accordance with certain guidelines, but those laws can vary in strictness and implementation from country to country. This variation occurred with the Data Privacy Directive. As a regulation, the GDPR will apply universally across all EU Member States when it takes effect. For the first time, data protection law will be consistent across the EU.
The GDPR is more sweeping in its scope than the Data Privacy Directive, which applied to data controllers and data processors located in the EU. Article 3 of the GDPR, “Territorial Scope,” states that the regulation applies to:
The processing of data by a processor or controller that is established in the EU, even if the processing takes place outside the EU.
The processing of data belonging to EU citizens, regardless of whether that processing takes place in the EU, provided that the processing is related either to offering goods or services to those citizens (even without a fee) or monitoring the behavior of citizens as far as that behavior takes place in the EU.
The GDPR is truly global. If an enterprise, regardless of where it is based, is handling the PII of EU citizens, then that enterprise is under the jurisdiction of the GDPR, even if it is outside of the EU.
An increased emphasis on consent.
To justify the processing of PII, data controllers must request and receive consent from citizens that is “freely given, specific, informed and unambiguous.” The request for consent must clearly explain what data is being collect-ed, how and why it is being used, and what rights and means a citizen has for reviewing or revoking the data. (For an example of a consent request form, see the UK home page for Google: www.google.co.uk) As the law firm White & Case points out: “The GDPR makes it considerably harder for organizations to obtain valid consent from data subjects. For organizations that rely on consent for their business activities, the processes by which they obtain con-sent will need to be reviewed and revised to meet the requirements of the GDPR.”
Liability for data processors, not just data controllers.
The GDPR makes data processors liable for data privacy violations. Under the previous directive, only controllers were responsible for data privacy violations.
A broader definition of data breaches.
Under the GDPR, the definition of a data breach expands to include any unauthorized disclosure. If an employee sees data that he or she is not supposed to see, that event should be logged and evaluated as a data breach under the GDPR.
A stricter requirement for prompt data breach notifications.
When a data controller discovers that PII has suffered a data breach, it is required to notify a supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” In addition, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” (Article 34)
A right to be forgotten.
The GDPR establishes the right for data subjects to request that their PII be erased. Data controllers, including search engine companies such as Google, may need to comply with requests by individuals to be “forgotten.”
The requirement for “privacy by design”.
The GDPR specifically calls for requirements associated with the regulation to be built into products, projects, processes and systems, rather than being tacked on as an afterthought. This is an interesting development, and one that companies should be paying attention to. It means that companies will need to design compliant policies, procedures and systems at the outset of any product or process development that involves touching personal data.
Support for the pseudonymization of data.
To support “privacy by design,” the GDPR introduces a new concept in European data protection law: “pseudonymization”; that is, transforming data so that it is neither anonymous nor capable of directly identifying an individual. When data has been pseudonymized, the only way it can be linked to a specific individual is through the addition of other data that is held separately. Pseudonymization allows organizations to analyze data for trends without violating the core data protection rules at the heart of the GDPR. Organizations wishing to perform Big Data analysis of customer trends may need to implement pseudonymization schemes before the GDPR takes effect.
The requirement for a Data Protection Officer.
The GDPR requires that Data Protection Officers (DPO) be appointed by public authorities and by all data controllers and data processors whose work involves the “regular and systematic monitoring of data subjects on a large scale” or the large-scale processing of “special categories of personal data” (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, etc.). Many companies will need to add this position to their IT and compliance staff. (Early drafts of the GDPR limited the requirement for this officer to organizations with 250 or more employees, but the final draft removed this limitation.) The GDPR does allow for this position to be filled by third parties. It’s possible that many companies will hire law firms or other experts to meet their obligations for staffing DPO positions.
Costlier fines for violations.
Penalties for infractions such as not notifying authorities of a breach and not conducting impact assessments can reach up to 2% of a company’s annual turnover. Penalties for more serious data privacy violations can reach up to 4% of a company’s annual turnover, potentially totaling hundreds of millions of dollars; even billions.
What Steps should Companies be taking now to Manage Third Party Compliance with the GDPR?
Clearly, the GDPR has sweeping ramifications for any organization providing goods or services to EU citizens. But those ramifications become broader when you consider all the third parties that are essential to any Global 2000 organization’s daily operations.
Third parties, which could range from marketing agencies, to debt collection agencies, to law firms, to individual contractors such as software programmers, must also comply with the GDPR if they are involved in any way with the collection or processing of PII for employees, customers or contacts.
Global 2000 companies need to be working on their GDPR Third Party Compliance Programs now. These can take some time to understand, develop and implement and, considering the third-party risks involved, should not be an afterthought.
Here’s five steps, together with some suggested timeframes, that you should be taking now:
SO YOUR THINK YOUR ORGANIZATION IS CASL COMPLIANT? Here we are months after the CRTC's full enforcement date and many organizations are not even close to CASL compliance. The law came into force on July 1, 2014 and the CRTC granted a 3 year period to use 'the normal, natural course of business' to update all opt-ins to be CASL compliant, which ended July 1st of this year. Let's look at a simple compliance issue. Are you collecting express consent the proper way?
A CASL compliant EXPRESS opt-in is:
1. an individual who has taken a positive action to request that you communicate with them.
2. You have clearly stated your full Company name and mailing address of your office including a name and 2 ways to contact them (usually email and direct phone number)
3. You have made a clear statement of what kind of communication one might expect from you.
4. You have stated "You can unsubscribe at any time"
If, with all of these elements present, an individual opts in to your organization, CRTC believes it was intentional and of their conscious will. Take a look at your organization's web forms that collect email sign-ups. Is this language all there? Will your claimed express consent actually meet CRTC's standards?
IMPLIED opt-in has it's own set of criteria and requires a much longer explanation, but you get the gist of it. No more grabbing email addresses and blasting far and wide hoping you hit something. Those days are gone. CASL is 'upping the standards of professionalism' required to engage in email marketing and SMS Text Marketing (sure wish they had done this in the telemarketing space years ago).
That's not to say you have been ignoring CASL. As we understand many organizations have done a great job of ensuring they have a working unsubscribe in EVERY email sent. Kudos. For many enterprise level clients we are certain that was no easy feat. Just locating every source of emails from within your organization can be a challenge for Canada's largest firms.
But fact is CASL has many moving parts to it and CRTC has stated they expect you to prove that you are not breaking the law. Take the following compliance test and see how your organization is doing. You can score your organization from 0 -10 in each of the following areas -- zero being terrible and 10 being perfect:
1. Do you have working unsubscribe mechanisms in EVERY single email you send - both bulk emails and all one-to-one emails sent from your staff? ______/ 10
2. Can an individual unsubscribe with less than 2 clicks? _____/10
3. Is that individual remove or suppressed from your email list within 10 business days of unsubscribing? _____/10
4. Can you describe in detail each and every way you collect email opt-ins, including the exact language you use? _____/10
5. Do you know the consent realtionship of your organization with every individual on your opt-in list as well as the date they should be removed? _____/10
6. Can you prove date of sign up, langauge used, IP address tracked, or the original source of the granting of permission for each opt-in? ____/10
7. Can you track the data changes, in real time, so you know how the relationship with each individual on your list changes? ___/10
8. Can you prove you only send the kinds of emails you promised in your opt-in description? ____/10
9. Have you documented, in detail, how your entire electronic messaging plan works such that it can clearly be communicated to a new employee? ____/10
10. Have you appointed a CASL Compliance Officer and documented your disciplinary actions and consumer compliant process? ____/10
11. Have you incorporated your documented process into your staff training so everyone in the organization understands these policies? ___/10
12. Do you have a process for making changes to your electronic messaging program? ___/10
13. Do you include the prescribed details in every message sent from your organization? ___/10
Now I ask: Is your organization CASL compliant?
Some believe their Email Service Provider (ESP) helps make you CASL compliant. Fact is, they can probably speak to the unsubscribe mechanism but have no idea about your internal policies and how you secure opt-ins. 'That's your responsibility'. WHO you send to and WHAT you send is none of their business. They are there to handle HOW you send it and CASL includes much more than how you send an email.
As the author of CASL Compliance: A Marketer's Guide To Email Marketing To Canadians, Derek Lackey has developed a comprehensive process we call CASL Keep™. Designed to address all compliance issues from CRTC, the Office of the Privacy Commissioner of Canada and the Competition Bureau, we are help bring your organization into compliance. If you have any doubts about your ability to comply, ask. We are happy to provide practical guidance and direction. We can be reached at email@example.com. Send us your Compliance Score Card - a great place to start.
As stated by CRTC: "Canada's new anti-spam law was passed in December 2010 and, following a Governor in Council order, it entered into force on July 1, 2014. The law will help to protect Canadians while ensuring that businesses can continue to compete in the global marketplace. On January 15, 2015, sections of the Act related to the unsolicited installation of computer programs or software came into force.
The new law generally prohibits the:
- sending of commercial electronic messages without the recipient's consent (permission), including messages to email addresses and social networking accounts, and text messages sent to a cell phone;
- alteration of transmission data in an electronic message which results in the message being delivered to a different destination without express consent;
- installation of computer programs without the express consent of the owner of the computer system or its agent, such as an authorized employee;
- use of false or misleading representations online in the promotion of products or services;
- collection of personal information through accessing a computer system in violation of federal law (e.g. the Criminal Code of Canada); and
- collection of electronic addresses by the use of computer programs or the use of such addresses, without permission (address harvesting)."
Let's examine the the 5 forms of consent under CASL.
1. Express Consent
An individual intentionally opts-in using transparent language. This is the gold standard of consent, meaning an individual both wants and intentionally requests being added to your email list. These people want the kind of information and offers you intend to send them. Read More...
2. Implied Consent - Existing Business Relationship
This includes customers and interested prospects. The CRTC states it this way, "The recipient has made, or enquired about, a purchase or lease of goods, services, land or interest in land, a written contract or the acceptance of a business, investment or gaming opportunity from you. Keep records of how you obtained implied or express consent, since in both cases you have the onus to prove consent." This has a 2 year time limit, meaning the individual must purchase again, request a quote or a demo within that 2 year period, in which case the 2 year clock rests to that date. Read More...
This is for registered charities, political party or candidates and the individual has provided a gift, donation or has volunteered in the past 2 years. This form of consent also applies to members of clubs, associations or voluntary organizations. The 2 year time limit applies as does the proof of consent. Read More...
4. Implied Consent - Conspicuously Displayed or Referred
This is what has become known as the B2B Clause. If someone:
1. displays their email publicy, online or otherwise,
2. does not include a statement indicating non-solicitation
3. is currently in a role that is relevant to the content (CEMs) you intend to send them
Again, this form of consent is implied therefore lasts 2 years from the date you can prove the above 3 factors. Remember the onus of proof is on you. Read More...
5. Personal Relationship
A "personal relationship" requires that the real identity of the individual who alleges a personal relationship is known by the other individual involved in such a relationship (as opposed to instances where a virtual identity or an alias is used). Read More...
"Canada's new anti-spam law was passed in December 2010 and, following a Governor in Council order, it entered into force on July 1, 2014. The law will help to protect Canadians while ensuring that businesses can continue to compete in the global marketplace. On January 15, 2015, sections of the Act related to the unsolicited installation of computer programs or software came into force.
The new law generally prohibits the:
sending of commercial electronic messages without the recipient's consent (permission), including messages to email addresses and social networking accounts, and text messages sent to a cell phone;
alteration of transmission data in an electronic message which results in the message being delivered to a different destination without express consent;
installation of computer programs without the express consent of the owner of the computer system or its agent, such as an authorized employee;
use of false or misleading representations online in the promotion of products or services;
collection of personal information through accessing a computer system in violation of federal law (e.g. the Criminal Code of Canada); and
collection of electronic addresses by the use of computer programs or the use of such addresses, without permission (address harvesting)."
Let's begin with the 5 forms of consent under CASL.
An individual intentionally opts-in using transparent language. This is the gold standard of consent, meaning an individual both wants and intentionally requests being added to your email list. These people want the kind of information and offers you intend to send them. If you are using electronic messaging (primarily email and SMS text messages) to solicit new customers this law changes the game, as it is far more difficult to get express consent from people who do not yet know your brand of what you offer. If you intend to use email or SMS text marketing for new customer acquisition, you must come up with strategies to request express consent. Under CASL, you cannot even send one email to ask for consent.
The CRTC is the main enforcement agency and their description is "Valid consent given in writing or orally. The Recipient gave you a positive or explicit indcation of consent to receive commercial electronic messages. Your request for consent set out clearly and simply, the prescribed information. Express consent is not time-limited unless the reciepient withdraws his or her consent. Keep records of how you obtained implied or express consent, since in both cases you have the onus to prove consent."
If the recipient is filling out a form to sign up for your email newsletter, the act of providing their email address is their "positive action".The positive action can be an unchecked checkbox must have specific open and transparent language. The fact that an individual has to take the action of checking the box makes it a "positive action".
The "prescribed information" is:
a) You must clearly state Company Name and mailing address
b) Describe what type of information they can expect and how often
c) Provide a contact name and 2 ways to contact them (can be a link)
d) State “You can unsubscribe at any time”
You must store the proof and be able to produce that proof upon request. The contact information contained in each commerical electronic message (CEM) must be valid for 60 days from the date the message was sent.
Here is an example from the Direct Marketing Association of Canada
The following is an extract from the law. Note this section includes Section 8 - the downloading of software. Section 6 deals with electronic messaging.
Express consent — sections 6 to 8
10 (1) A person who seeks express consent for the doing of an act described in any of sections 6 to 8 must, when requesting consent, set out clearly and simply the following information:
(a) the purpose or purposes for which the consent is being sought;
(b) prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, prescribed information that identifies that other person; and
(c) any other prescribed information.
(2) Despite paragraph (1)(b), for the purposes of section 6, if a person is seeking express consent on behalf of a person whose identity is not known,
(a) the only information that is required to be provided under that paragraph is prescribed information that identifies the person seeking consent; and
(b) the person seeking consent must comply with the regulations in respect of the use that may be made of the consent and the conditions on which the consent may be used.