With the introduction of the General Data Protection Regulation (GDPR) fast approaching, many are wondering how it compares to or will integrate with other privacy and security laws and agreements, such as the Privacy Shield. As the GDPR will come into effect on May 25, 2018, it is important to clear up any confusion as quickly as possible.

A central goal of the GDPR is to ensure that the personal data of people in the European Union (EU) will be protected, and that any storage or processing of this data will only be done in countries that have very strict legislation governing data protection.

Currently, the legal safeguards and frameworks that exist within the United States (US) do not reach the standards required by the EU and the GDPR. This would mean that businesses and organizations based in the US would not be permitted to process data from EU countries. The Privacy Shield agreement was made to allow individual US based organizations to prove that their data protection procedures are at a high enough level to allow them to process data from EU countries.

How Does the Privacy Shield Work?

The Privacy Shield agreement was made to replace the Safe Harbour agreement that existed between the EU and the US. By meeting the criteria of the Privacy Shield agreement, US companies and entities should be able to receive, process, store, and transfer EU data in a GDPR compliant fashion. Some of the elements that must be in place include:

• Stronger data protection obligations placed on US entities when dealing with data relating to individuals based in the EU.
• The processing and use of personal data must be strictly limited to defined goals – no general access or use is permitted
• Individuals within the EU are protected from harm and have the capacity to seek compensation, damages, or an indemnity
• An annual review of the Privacy Shield is to be conducted by both the EU and the US to ensure viability and purpose

Click to view Infographic

To compare the Privacy Shield with the GDPR is not really possible, given that one only exists as a means to determine compliance with the other. The overall aim of the two is the same: to ensure data protection for people in the EU.

What is Meant by Consent in the GDPR?

The GDPR will repeal and replace EU Directive 95/46/EC – The Data Protection Directive. An element of this Directive that caused confusion concerned what exactly constituted consent. Consent and correctly receiving it is a critical aspect of legally processing data as consent is one of the legitimate reasons to allow an organization to store or use personal data. The way the current Directive is written led some member states to emphasize different aspects of consent and how it should be sought. The GDPR should facilitate a more harmonious approach to this area by introducing more detailed definitions, while the general understanding of “consent” itself will not be changed.

What Definitions have been Added?

Let us review the two definitions relating to consent:

Directive 95/46/EC: “The data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

GDPR: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

The GDPR definition adds the term “unambiguous” to its definition, but this is actually present in Article 7 of the Directive – “Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent…”

The GDPR definition also introduces “by a statement or clear affirmative action”. This addition is much more important. Individuals must now take action to provide consent. As the GDPR also states, “silence, pre-ticked boxes or inactivity should not […] constitute consent”. This means individuals must check boxes themselves, orally affirm their consent, press a button, or perform some other active measure to provide consent.

The notion of “freely given” has also been updated. As well as instances where an imbalance of power between parties may affect free will, the GDPR notes “consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”.

US based companies, or those looking to utilize the services of such companies should closely review both the GDPR and the Privacy Shield agreement. All companies involved in collecting or processing data from individuals in the EU should ensure that consent received in the past is GDPR compliant and that procedures for gathering consent meet the necessary standards. Not doing so could result in non-compliance and heavy fines.

The post A Comparison of the Privacy Shield and the GDPR appeared first on HIPAA Journal.

The General Data Protection Regulation (GDPR) will govern how personal data collected within the European Union (EU) must be treated, but what is the definition of personal data under the GDPR? This question has been causing confusion for certain organizations but they still must have their systems in place to correctly process and collect data before the law come into force on May 25, 2018.

The term “personal data” is defined in the text of the GDPR’s Article 4, Definitions, but the definition which is given is very broad and intentionally vague. This means that groups must be careful with almost any data that they collect or process. There may even be differences in what is counted as personal data based on the activities, data collected, or processing requirements of the data controller or data processor – it is possible that context will play a role in what is defined as personal data.

The definition stated in Article 4 is that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”.

It is worth taking into account that the GDPR also states that “this Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.”

To summarize the definition, we can say that, for the most part, personal data under the GDPR governs data that can be used to identify a living person. However, it is important to look a bit deeper into this.

What can be Considered Personal Data?

As “data which can be used to identify a living person” is extremely general, we should examine the concept of “personal data” from a different angle and in respect to different contexts.

Click to view Infographic

Let us imagine a company that is collecting the names of potential customers, one of whom is called John Smith. Given that this is a very common name, it is highly unlikely that the exact John Smith being referred to could be identified from just this name. If the company were to also collect a less common or unique name, for example Filip Phry, it is much more possible that this person could be identified by their name alone. John Smith may not be considered personal data in this case, whereas Filip Phry certainly could be.

Going further, imagine this company collects more detailed information on John Smith such as what city he lives in, his marital status, and his favorite brand of shoes. This combined information could be used to identify the correct John Smith and the information, including the name, could therefore be considered as personal data. The ability to identify the individual, directly or indirectly, is the key determining factor.

It is important to note that online and digital identifiers, such as IP addresses or usernames, may be considered as personal data.

What Action Should Organizations Take?

A first step for any organization is to audit their data, identify what could be considered personal data in their use case, and ensure that they have received consent in a GDPR compliant manner to continue processing it. If this is not done and personal data is stored, collected, or used in violation of the GDPR, the group could face incredibly harsh sanctions or financial penalties.

The post GDPR Definition of Personal Data appeared first on HIPAA Journal.

The introduction of the General Data Protection Regulations (GDPR) is just around the corner and many organizations are wondering whether the GDPR also applies to data concerning employees, as well as to data related to clients or customers.

The short answer to this is yes, employee data is subject to the same protections as client and customer data under the GDPR. When groups design their systems to be GDPR compliant, they must not forget to review and modify the systems that deal with internal staff information.

This will also mean that staff members will have similar rights to clients and customers in relation to requesting copies of their stored data and other areas. Organizations will face penalties for mismanagement or misconduct of employee data the same as they would for mishandling or violating the rules for data concerning individuals external to the group.

How Should Human Resources Prepare?

As the majority of data relating to employees will be held and processed by the Human Resources (HR) department, it will be crucial for HR staff members to gain a strong working knowledge of the GDPR and how it will apply to their functions. Seemingly simple and standard administrative tasks may now require extra steps, such as gaining authorization to process an employee’s personal data, especially data that is not directly relevant to their employment.

Previously, this sort of request could be made as part of the employment contract but with the introduction of the GDPR this will change. Consent to process an individual’s personal data can no longer be gathered as a consequence of them signing a contract; as per Article 7 of the GDPR, Consent, this permission must now be separately requested. The relevant section of Article 7 states that “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”. While organizations have and can show legitimate cause to process certain data directly related to the employment of the member of staff, and HR will have to be very clear on what this data is and how they can and cannot process it, consent must be sought for the processing of any other personal data. This consent must also be freely given by the employee, and the GDPR notes that if the fulfillment of a contract is conditional on this “extra” consent being given, it may be determined that the consent was not freely given and is therefore not valid.

Employees must be made aware of the data that HR will process and why it is being processed. To facilitate this, HR should take note of the personal data that they process and the reasons for this processing. Auditing the data will help identify information that is being held but which is not directly related to the functions of the organization. Authorization to continue holding this information should be sought before the introduction of the GDPR, if desired, or else it should be deleted. It can also help identify old or erroneous information. The GDPR requires data to be kept up-to-date, stating that “every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted”.

As well as the appropriate administrative procedures, HR will need to ensure that the appropriate technical and IT protections are in place to secure employee data from access by unauthorized individuals. Systems will need to be reviewed and implemented to ensure data cannot be accidentally or unlawfully destroyed, lost, altered, disclosed, accessed, transmitted, stored or otherwise processed.

Failure to follow these rules may result in the group being found in violation of the GDPR and facing sanctions or fines.

The post Does GDPR Apply to Employees? appeared first on HIPAA Journal.

As mentioned above, cold emailing is not completely banned or prohibited by the GDPR but it has placed restrictions on how cold emailing can be used. Unrequested marketing materials cannot just be sent out to random email addresses. Doing so could even result in penalties against the organization.

Audience targeting for cold emailing will become much more important under the GDPR. Some strong indication that the recipients will be interested in the subject matter must be able to be demonstrated by the sender. Something such as their job title or business area may be enough to defend contacting the target, but more information should be included when available. Obviously, any information used to support contacting an individual must be obtained legally and transparently. Other criteria that must be met include:

• Emails should have their subject matter and topics plainly visible
• The email should be personalized to the recipient. This is another area where target and subject relevance is crucial
• An unsubscribe option must exist to enable recipients to opt out from receiving future communications
• The identity of the sender must be clearly marked, with a physical contact address provided
• It may be good practice for those creating email lists to include how they got the prospects contact information, which information they collected, and why

As the GDPR gives data subjects the right to request a copy of their information held by an entity and the “right to be forgotten” – to have their information deleted from an organization’s database – any group that stores such information must put systems in place so that such a request can be rapidly granted.

The GDPR also requires data to be kept up-to-date – “every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted”. This means that email addresses that are invalid must be deleted from the database.

Another key element of the GDPR is data minimization, meaning that only the data required for the processing you are undertaking should be collected or accessed. In the case of those putting together email address lists to contact highly relevant prospects, this would only include the email addresses, names, and perhaps the names of the businesses or the job titles. If the fax or telephone number of the contact is not relevant, for example, it should not be processed. If other pieces of information are relevant, they can be used, but there must be a clear reason for their relevance. In the case of those offering a sign-up or opt-in emailing service, any information collected as part of the sign up process must be clearly linked to why it is needed and the way in which it will be processed.

The post GDPR and Cold Emailing appeared first on HIPAA Journal.

With less than a month to go before the introduction of the General Data Protection Regulation (GDPR), many companies are wondering whether they need to request consent from their existing customers in order to process or continue processing their data. There are a number of conditions that must be met for consent to be valid under the GDPR. These include consent having been given freely by an informed individual for a specified purpose.

On a superficial level, these are the same as the criteria which must be followed under the existing law. As a result, many organizations may feel that their user and customer consent does not need to be reviewed. However, the GDPR makes some amendments to how consent can be acquired, given, or implied. It is important that groups make note of these additional requirements when assessing the consent of their existing customers and when requesting consent from new and future customers. Below, we review some of the more important aspects that must be respected. If these have not been applied, existing consent may not be valid and the company may be non-compliant.

Consent as a Stand-alone Action

Under the GDPR, consent cannot be gathered from users as a result of them agreeing to the general terms and conditions of a service, it must be separately requested. Article 7, Consent, states that “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”.

As well as this, there will be greater scrutiny of what constitutes “freely given” consent. If a contract or use of a service is conditional on consent being given to process personal data that is not required for the performance of the contract or use of the service, it may be determined that the consent was not freely given and is therefore not valid.

Pre-Checked Acceptance Fields and Silence are Not Acceptable Forms of Acquiring Consent

The Regulations state that “consent should be given by a clear affirmative act”. It must be an action or something else that is consciously and deliberately done by the individual. This means that, for example, someone telephoning a company cannot be informed that the conversation will be recorded and that by staying on the line they agree to the recording; they must actively verbally agree to it, or take some action such as pressing a button to consent to the recording. Similarly, websites that have pre-checked fields or opt-in boxes giving consent are also not acceptable. The individual must take the action of checking the box or field themselves.

The Individual Must be Told Who Uses the Data

When giving consent, the individual must be informed of who will be making use of the data, in the interests of transparency. This includes the identity of the main data controller, but also any third parties that may eventually use the data. Article 13, Information to be provided where personal data are collected from the data subject, notes that data subjects should be informed, among other things, of “the identity and the contact details of the controller” and “recipients or categories of recipients of the personal data, if any”.

Consent Provided Must be Recorded

Coming back to Article 7, we find another common theme that runs throughout the GDPR: documentation. The controller must be able to prove they are compliant with the GDPR, and in the case of consent this means that “the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.

Individuals Must be Easily Able to Withdraw Consent

Staying with Article 7 still, we see that data subjects must be allowed to withdraw their consent. Crucially, the law states that “it shall be as easy to withdraw as to give consent”. This means companies must put systems in place to facilitate withdrawing consent and ensure processing is halted upon such a revocation of consent.

GDPR Cold Emailing Rules

Many organizations that use cold emailing to reach out and contact new people are concerned that the General Data Protection Regulation (GDPR) will introduce rules prohibiting or strictly hampering the practice. When the GDPR comes into effect on May 25, 2018, these organizations can rest assured that, yes, cold emailing can still be used in compliance with the new legislation, but they will need to ensure that they are following the correct procedures when doing it.

Member State Laws May Differ

Even though one of the principal goals of the GDPR is to harmonize the rules regarding data protection and data processing across the EU member states, there may still be local exceptions or differences that must be taken into account. Every member state retains some liberty and a degree of discretion as to the laws they themselves implement that may affect how the GDPR is enforced. Groups should therefore verify the local legal requirements of the country or countries where they will be operating before collecting or processing data can occur.

The post GDPR Consent for Existing Customers appeared first on HIPAA Journal.

With the introduction of the General Data Protection Regulation (GDPR) just around the corner on May 25, 2018, many people are wondering how the new European law will compare to American privacy laws.

An important point to note from the outset is that the GDPR will not just apply to organizations based within the EU, but to any organization which collects or processes the data of individuals based in the EU. The chief determining factor of GDPR applicability is the location of the data subject, not the location of the company.

To further clarify this point, many organizations believe that the GDPR only applies to EU citizens. This is not the case. If the data has been collected in the EU, even if the data relates to a non-EU citizen, the information is subject to the protections of the GDPR and the controller and processing entities must treat it in compliance with these rules. Similarly, should a citizen of an EU country have their data collected and processed outside of the EU, their data is not subject to the GDPR protections as it was not collected within the EU.

As well as confusion arising from different legal systems and different locations, some cultural differences are also affecting perceptions of the GDPR and privacy laws.

A European Attitude to Privacy and Personal Information

One of the main aims of the GDPR is to ensure that every individual located within the EU, no matter which member state, is guaranteed the same rights and freedoms – including the right to privacy, which is thought of as a basic human right. To accomplish this, the GDPR will enshrine this and other rights in the legislative framework of the EU member states. The desired result will be a cohesive and secure approach to processing personal data collected across the EU, which will protect individuals and their privacy.

An American Attitude to Privacy and Personal Information

In a legal sense, the United States does not provide for an overall expectation of privacy. The collection and processing of personal data is generally regulated based on the type of data under discussion. This is why, for example, data related to healthcare is subject to the Health Insurance Portability and Accountability Act, commonly known as HIPAA, and financial data is governed by the Gramm-Leach-Bliley Act, known as GBLA. As there is no current law in the US that is analogous to the GDPR, many types of data that are covered by the GDPR do not have corresponding protections under American law. This will more than likely result in a situation where data gathered from within the EU will have to be processed and stored to different requirements and to different standards than data gathered from within the US.

How is This Liable to Affect US Organizations?

Implementing, managing, and overseeing two different but parallel approaches to data processing will probably strain the resources of many US based organizations. Making use of several systems depending on the type of data and the location from which it was gathered introduces a level of complexity that may impact the efficiency of operations and that could lead to mix ups and mistakes, potentially resulting in fines or sanctions for non-compliance with the correct regulations.

Further confusing the issue is that a single individual may have data that falls under both or multiple sets of legislation. In an increasingly globalized world, it is not out of the question for someone living in New York to have their data gathered within the US throughout the course of their daily activities, and to then take a trip to Europe for business or pleasure and have their data gathered within the EU during the trip. If their data is collected by the same US based multinational group, say a coffee shop chain, online accommodation service, or electronics manufacturer, then this company would have data from the same individual subject to different sets of legislation – essentially prohibiting the merging of the data and the ability to extract useful information from it.

A solution that is being proposed to this double standard is to simply eliminate it by applying the same procedures to all data collecting and processing activities. While it may take time and resources to design a system that meets the requirements of all the relevant laws, the gains in efficiency and the reduction in risk could largely make up for this. However, it is not yet sure whether many organizations will implement this solution.

The post Comparison of European and American Privacy Law appeared first on HIPAA Journal.

The soon-to-be-introduced General Data Protection Regulations (GDPR) will govern how organizations store and process personal data relating to people living in the European Union (EU), but some exemptions can be made under the new legislation. Coming into effect on May 25, 2018, there is still a certain amount of confusion relating to how the GDPR will work and how it will interact with member states’ laws. Below, we will try to clear up some of this confusion.

GDPR vs National Law

A chief aim of the GDPR is to harmonize the rules concerning data processing across the EU. Even with this as a goal, there will still be a certain amount of leeway and discretion permitted for each individual EU member state to legislate some aspects of how data management is policed.

GDPR Article 23, Restrictions, presents a set of acceptable reasons for which a member state may introduce a law restricting some of the rights otherwise granted in the other articles of the GDPR. These reasons include:

• security and defense
• prevention, detection, investigation, or prosecution of crime or breaches of ethics for regulated professions
• protection of the judicial system
• protection of important national public interests e.g. relating to budgets, public health, or social security

Any national legislation restricting GDPR rights can only be implemented with the caveat that the law must respect “the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society”.

A number of other exemptions are provided for in Articles 85, 86, 87, 88, 89, 90, and 91. Article 85, for example, Processing and freedom of expression and information,establishes the right for member states to introduce laws which balance the rights to privacy of personal data with the rights to freedom of expression for “journalistic […] and […] academic, artistic or literary expression”.

Article 86, Processing and public access to official documents, allows laws to be established that measure the right of “public access to official documents with the right to the protection of personal data”.

An important area for organizations in all member states will be Article 88, Processing in the context of employment. Laws regulating how employee data is to be processed may be introduced to allow for greater detail in areas such as equality and diversity in the workplace, health and safety, and employment benefits. Any such law must “include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights”, and the European Commission must be notified of the laws which are being enforced in the member state, as well as any amendments to them.

Other areas in which EU member states may introduce laws restricting or affecting the rights afforded under the GDPR include processing for national administrative reasons, such as for an identification number; processing for scientific or historical research; processing of statistics or archiving of data in the public interest; and state or professional secrets.

Churches and religious bodies which process data and which have rules governing data protection will be obliged to update their procedures to be in line with the GDPR, and they will be placed under the control of an independent supervisory authority.

In the case of most of these exemptions and exceptions, member states are required to notify the European Commission of their course of action and amendments they adopt; to enforce the principle of data minimization – only processing the minimum amount of personal data to fulfill a purpose; and to ensure that the exemptions and exceptions include sufficient protections and safeguards such that they will not have any undue impact on the rights and freedoms of the data subjects concerned.

The post GDPR Exemptions appeared first on HIPAA Journal.

The General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, makes a number of changes to how organizations can use personal data, but it has also changed the rules of how data breach notifications should be issued.

Both data controllers and data processors are obligated to put sufficient apparatus and methods to safeguard the information they hold and process in place. While exact means are not specified, it is stated in Article 32, Security of processing, and several other times in the legislation, that the “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” should be implemented. A non-exhaustive list of examples of security measures that may be considered is also given. The list includes pseudonymization and encryption, as well as procedures to ensure the confidentiality of data, to quickly restore access to data following incidents, and to regularly test the security measures.

The security system and procedures must be documented so that compliance with the regulations can be proven. If an organization is unable to show that it has the necessary security infrastructure and testing in place, they risk being labeled as non-compliant and facing penalties.

When Should a Breach Notification be Issued?

In GDPR Article 4, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Under Article 33, Notification of a personal data breach to the supervisory authority, data controllers are obligated to report data breaches to the appropriate agency within 72 hours of discovery of the breach. If the report is not made within 72 hours, the reason for the delay must be explained to the authority. If a data breach occurs and it is determined that there is a low probability that a data subject – a person who the data is related to – will have their rights of freedom affected, then the breach does not have to be reported within the 72 hour time limit.

Controller notifications to data subjects are not held to a fixed deadline, but must be made “without undue delay”. Data processors are also required to notify the relevant data controller “without undue delay” following the discovery of a breach.

What Should be Included in a Data Breach Notification?

The data controller is responsible for reporting the breach to the authority, even in cases where the processor is the source of the breach. There are certain elements which are required to be included in the notification to the authority, in so far as possible. These are:

• the nature of the personal data
• the categories of data involved
• the approximate number of data subjects impacted
• the approximate number of data records impacted
• the name and contact details of the data protection officer or the main information contact
• a description of the probable consequences of the breach
• a description of the actions being or to be taken by the controller to minimize the damage and prevent future breaches of the same kind from occurring

The above information can be provided all at once or as it becomes available without unnecessary delay. All of this should be documented to allow a review of compliance at a later date.

Controllers will also be responsible for notifying data subjects following some breaches where there is an elevated risk to the concerned individual’s rights and freedoms. Notification is not needed if measures were in place that would “render the personal data unintelligible to any person who is not authorised to access it, such as encryption”; if the actions taken following the breach make harm to the rights and freedoms of the individual unlikely to occur; or if notification would require “disproportionate effort” – in which case an effective means of publicly informing data subjects may be used.

Similar to notifications to the authority, notifications to data subjects must include:

• the name and contact details of data protection officer or main information contact
• a description of the probable consequences of the breaches
• a description of the actions being or to be taken by the controller to minimize the damage and prevent future breaches of the same kind from occurring

The post GDPR Data Breach Notification Rules appeared first on HIPAA Journal.

The General Data Protection Regulation (GDPR) makes frequent reference to GDPR data controllers and GDPR data processors, but what is the difference between a controller and a processor under the GDPR?

When the GDPR comes into effect on May 25, 2018, both data controllers and data processors will have specific duties which they must fulfill. Under the existing regulations, data processors do not have statutory responsibilities. This will change with the GDPR’s introduction. As a result, organizations will need to ensure that they are aware of whether they will be classified as data controllers or data processors. If they are unsure, they run the risk of failing to comply with the strict standards and criteria expected of them under the new law. They should also know where they stand in order to implement the necessary data protections and procedures, if applicable.

GDPR Data Controllers

The GDPR has kept the categorization of data controllers and data processors the same as it appears in the existing legislation. A data controller decides, either alone or in concert with other groups, what types of data are to be collected and how they should be processed. They have a number of important obligations under the law. Numerous distinctions exist between data controllers and data processors. Let us take, for example, a company processing payroll data: the company itself would be classified as a data processor whereas that company’s customers would be data controllers.

GDPR Data Controllers’ Responsibilities

Data controllers are responsible for, and must be able to show that, the data processing actions they use do not violate GDPR standards, in accordance with the accountability principle of Article 5. This part of the law states, among other things, that data must be “processed lawfully, fairly and in a transparent manner”.

Article 5 goes on to state that use of the data must be strictly limited to “specified, explicit and legitimate purposes”; that only the minimum data needed for the purpose will be processed; and that reasonable steps must be taken to ensure the data is accurate and up-to-date. Data controllers are also responsible for the confidentiality of the data. Compliance with these rules can be strengthened through introducing a code of conduct, which processors must abide by.

It is important that controllers put such codes of conduct and rules into place at the very beginning of their activities, following a concept called privacy by design. Once these are implemented, they can help to ensure the correct technical and organizational procedures are respected, an area where the controller is also responsible. This will help establish norms such that only the minimum amount of data is processed, in a secure manner, as a matter of course.

The GDPR further expands on this approach in Article 25, data protection by design and by default. This Article calls for the data controller to introduce “appropriate technical and organisational measures” to:

– Implement data-protection principles, such as data minimization

– Ensure that, by default, only the data necessary for each specific purpose is processed and stored

– Keep the period of the data storage to a minimum

– Ensure access to data is strictly limited to only those who require it

Data controllers should also designate the responsible parties for data protection, impact assessments, risk reduction, data protection, and data minimization.

GDPR Data Processors

Contrary to controllers, data processors are public entities or agencies that store or process data for controllers. As they play a central role by processing data, it is of the utmost importance that they are only selected after a careful review process – indeed, the GDPR requires that due diligence research be carried out when choosing a data processor – and that strict agreements be put in place to ensure that processors fulfill the requirements imposed upon them by data controllers and regulatory bodies.

GDPR Data Processors’  Responsibilities

In certain cases, data processors will be required to designate a Data Protection Officer (DPO). This  concerns both processors and controllers and should be done when systematic processing of large amounts of data is conducted or when data related to criminal and legal records is processed.

Processors cannot make use of the services of sub-processors without first receiving written permission to do so and contractually binding the subcontractor to the same standards dictated to them by authorities and data controllers. Any sub-contractor used must meet GDPR standards and must comply with the established procedures before transferring any data to a non-EU country. The processor must answer for any error committed by the sub-contractor.

A key element in ensuring compliance with the GDPR will be the close collaboration of processors and controllers while conducting impact assessments. Processors must be able to answer any questions or objections posed to them. Importantly, they must be able to satisfy data subjects who choose to use their “right to be forgotten”, who request a copy of their data, or who object to the use of their data.

The post What is the Difference Between a Controller and a Processor in GDPR? appeared first on HIPAA Journal.