eBook - ePub

The GDPR Challenge

Name: The GDPR Challenge
Author: Amie Taal, Amie Taal

Privacy, Technology, and Compliance in an Age of Accelerating Change

Amie Taal, Amie Taal

Share book

240 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

The GDPR Challenge

Privacy, Technology, and Compliance in an Age of Accelerating Change

Amie Taal, Amie Taal

Book details

Book preview

Table of contents

Citations

About This Book

Consent is necessary for collecting, processing and transferring Personal Identifiable Information (PII) and sensitive personal data. But to what extent? What are the limitations and restricts to avoid penalties under The General Data Protection Regulation 2018 (GDPR) rules, which may be up to 4% of annual global turnover or €20 million (whichever is higher), enforcements and sanctions? Under GDPR Article 51, each EU Member State shall maintain an independent public authority to be responsible for monitoring the application of this regulation to protect the fundamental rights of data subjects (Supervisory Authority). The Supervisory Authority has powers to issue warnings, conduct audits, recommend remediation, order erasure of data and suspend data transfers to a third country.GDPR has changed the way data is used, accessed and stored. It's reach extends well beyond the European Union and is the basis of other data privacy laws around the world.This book provides a review and guidance on implementing and compliance of GDPR while taking advantage of technology innovations and supported by real-life examples. The book shows the wide scope of applications to protect data privacy while taking advantage of processes and techniques in various fields such as eDiscovery, Cyber Insurance, Virtual-based Intelligence, Information Security, Cyber Security, Information Governance, Blockchain and Biometric technologies and techniques.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is The GDPR Challenge an online PDF/ePUB?

Yes, you can access The GDPR Challenge by Amie Taal, Amie Taal in PDF and/or ePUB format, as well as other popular books in Law & Administrative Law. We have over one million books available in our catalogue for you to explore.

Information

Publisher

CRC Press

Year

2021

ISBN

9781000373554

Edition

Topic

Law

Subtopic

Administrative Law

Index

Law

CHAPTER 1Introduction

Amie Taal¹

¹ Amie Taal is the CEO and Founder of Stratagem Tech Solutions Limited — [email protected]

“Accountability is at the centre of all of this: of getting it right today, getting it right in May 2018 and getting it right beyond that.”

Elizabeth Denham Information Commissioner, UK

Introduction

The General Data Protection Regulation (“GDPR”) is no doubt a step up from what had existed in the past to protect EU data subject rights. It has changed the way data is handled in all industries from a process-driven activity to a risk-based approach. Still, the most significant impact is the far reach of this regulation, and adherence is not just specific to the European Union (“EU”). Since 2016, it has become the baseline for data privacy laws around the globe making it a landmark in the evolution of data privacy as a global phenomenon.

The two-year grace period from 2016–2018 prior to enforcement of the regulation in 2018 came with a foray of discontent, uncertainty and in some instances confusion. What was very clear is that no particular jurisdiction especially in the EU was 100% compliant. From an individual standpoint, data privacy was almost a distant memory or a forgotten right.

Outside the EU, the regulation sent shockwaves especially after the decision of Maximillian Schrems—v-Data Protection Commissioner, joint party Digital Right Ireland Ltd; which rendered the Safe Harbour agreement null and void on October 6, 2015, thanks to the fact that Facebook Ireland Ltd (‘Facebook Ireland’) transferred and stored their EU users’ personal identifiable information (“PII”) in the United States of America (“USA”), which was a blatant breach of the Safe Harbour agreement. In the wake of impactful international data breaches like Cambridge Analytica, Equifax and TalkTalk, many non-EU citizens now have increased awareness and heightened concerns about the use and security of their personal identifiable information.

The conception of this book came about from the panic and uncertainty GDPR brought following the announcement in 2016 of the imminent regulation and importantly the enforcement date of 25th May 2018. The focus of this edited volume is specific in highlighting the impact of GDPR on heavily technology-reliant fields, including investigations, application development, eDiscovery and new technology innovations such as Artificial Intelligence, Machine Learning and Blockchain; and to provide take-on workable solutions that have always been employed in the data privacy space. So many people working in various fields of technology and in non-technological roles have dealt with data privacy requirements and issues for many years and have become fully learned on the application of regulatory requirements. To have an opportunity to gather a group of professionals who are truly respected in their field, showcase their skills and experiences coupled with simultaneously sharing some great techniques and methodologies, was too enticing to ignore.

It was an absolute pleasure working with so many talented and knowledgeable professionals on this book. The reader will be far from disappointed on the knowledge and experiences exhibited in the following chapters and the rich array of guidance and usable examples from practitioners and academia alike.

The book starts by diving straight into the core of technology and data privacy; and Information Governance best practices. Chapter 2 confronts questions of accountability and transparency concerning corporate algorithmic decision-making with examples of strategies grounded both in the experience of the US Federal Trade Commission, in dealing with fairness issues arising out of traditional credit scoring, as well as best practices in the emerging field of information governance. This is then followed by Chapter 3 “Cyber Insurance and Technology Innovation”, a hot topic and very timely. The threat of penalties and fines from cyber security incidents and now coupled with GDPR breaches is enough to make any organization panic, and the good news is that the cyber insurance market is growing with a predicted growth of 26.3% by 2020.¹ Plans at board level for all global corporations now include the acquisition of cyber insurance, and the insured are well-positioned to negotiate for broader coverage regarding GDPR exposure.

Chapter 4 looks at the application of Multiple Instance Learning Framework to protect data access rights and academic research exploring machine learning to evidence GDPR compliance. Chapter 5 focuses on Social Media and sheds some light on the real business model behind social media, defining key privacy issues, and making a case for how the GDPR will help provide security when sharing users’ data. Chapters 6 and 7 explore eDiscovery from different angles including Legal, Technical, Privacy by Design, Information Governance and Data Portability.

Chapter 8 discusses ongoing challenges with Big Data and presents opportunities for cost savings through efficiencies required to meet its mandates, and increased business by adherence to contractual requirements to ensure that the organization meets their customers’ needs for GDPR compliance. This is a must-read for all eDiscovery practitioners and litigators.

Taking the theme of Big Data further, Chapter 9 explores tools and techniques to manage a streamlined and effective investigation process across disparate data sources, a nightmare for investigators on both civil and criminal matters. The chapter goes further in providing ways in which companies can access, search and manage their enterprise data in an efficient, defensible, compliant manner by utilizing new and innovative technologies like knowledge integration platforms, artificial intelligence and machine learning.

The usefulness of technology to enable GDPR compliance is explored further in Chapter 10, “Existing and Emerging Biometric Data Technologies”. The chapter examines the use of biometric data from its ancient historical context to its present-day use in state-of-the-art technology, where it became a semi-automated and then an automated classification system with great examples of how this type of data and technology is regulated. Chapter 11 explores the challenges financial crime investigators and litigators alike must face to successfully access, process and transfer data under GDPR, as well as the opportunities and limitations presented by available technology.

The penultimate chapter explores and discusses the human behavioural aspect of GDPR, a vital factor of GDPR compliance yet often forgotten or given little importance in this area. Chapter 12 looks at the correlation between human behaviour and organizational culture that has the potential to undermine GDPR compliance and lead to cyber security and data privacy breaches. Finally, Chapter 13 continues with the eDiscovery theme. It takes a deep dive on portable eDiscovery solutions currently on the market, solutions that take discovery efforts and capabilities to the source of the data.

How we use technology and at the same time adhere to data privacy regulations and legislation around the world, is a crucial factor and the focus of this book. We wanted to cover topics which were relevant and kept people in industry awake at night simultaneously. By reading this book from cover-to-cover or dipping in and out of it as a reference guide, it will provide the knowledge and practical examples for both academia and industry alike.

GDPR Background

One cannot discuss or work in the data privacy space without having an understanding of what personal Identifiable Information means or its definition as set out in the GDPR.

As detailed in the regulation, “personal data” shall mean any information relating to an identified or identifiable natural person (‘Data subject’); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (GDPR, Article 4).

The EU Data Protection Directive 95/46/EC was regarded by many as law and this caused some confusion, and in addition to this each EU jurisdiction had the right to pass a privacy law to protect their citizens or incorporate their citizens’ privacy rights in existing law(s). The impact was that no standardised way of dealing with data privacy breaches across the EU, and some countries were seen as being soft on the way privacy rights were enforced.

A short timeline of privacy laws in the UK since the 1995 EU Directive:

EU Data Protection Directive 95/46/EC
Data Protection Act 1998
Human Right 1998
Safe Harbor Agreement 2000
Freedom of Information Act 2000
EU–US Privacy Shield 2016
General Data Protection Regulation (GDPR) 2018
Data Protection Act 2018

As early as 2001 prior to the first anniversary of the Safe Harbour Agreement 2000, there were companies which could self-certify that they adhered to the seven directive data privacy principles, and complied with both the EU Data Protection Directive and Swiss requirements. This was heavily abused and caused discontent with and criticism of the agreement that it was not adequately policed; there was no means of redress for breach; and Edward Snowden voiced great concerns over state supervisions (USA PATRIOT). For the US court, cross-border data privacy requirements caused issues and the biggest being that eDiscovery information required for US litigation was not exempt from EU data privacy requirements.

In 1996 the Article 29 Working Party was established “the Working Party on the Protection of Individuals with regard to the Processing of Personal Data”, an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. In 2011 the work on GDPR commenced, and in 2015 an agreement on GDPR between the European Parliament, the Council and the Commission was reached on and on February 2, 2016, an action plan for implementation of GDPR was issued. GDPR was passed on April 14, 2016, the enforcement date was May 25, 2018 and it replaced the data protection directive of 1995. The regulation does not prevent jurisdictions from having their own privacy laws, and in 2018 a lot of new privacy legislations were seen in the EU to ensure GDPR adherence.

What are the new changes from the 1995 Directive?

Scope of Personal Data
Consent (Articles 6–8)
Privacy By Design (PbD) and Privacy By Default (Article 25)
Data Protection Impact Assessments (DPIAs) (Article 35)
Accountability: Data controller, data processor and appointment of a Data Protection Officer (DPO)
Breach notification – 72 hr rule (Articles 33–34)
One Data Protection Authority or DPA as lead
Judicial Redress and Compensation for data subjects (Articles 77–84)
Data Portability (Article 20)
International Transfers (Articles 44–50)
- The Commission’s adequacy decisions will be re-examined periodically (once every four years)
- The Commission will identify jurisdictions offering adequate data protection
Safeguards for transfers to inadequate jurisdictions
- Standard contractual clauses or Approved industry codes of conduct

Accountability is a crucial aspect of GDPR, if one does not understand the role they play especially with regard to data privacy in their organization, the consequence is that they will not be GDPR compliant. The roles and responsibilities are clearly defined in the regulation, such as the Supervisory Authority (Articles 51–59), Data Protection Officer (Articles 37–39).

Under Article 4 (Definitions) in the regulation, the role and responsibility of a Controller and Processor is stated as “... ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data; where the purpose and means of such processing are determined by a Union or Member State law, the controller or the specific criteria for its nomination may be provided for by the Union or Member State law; and ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (GDPR, 2018). The diagram below shows the data protection model under GDPR.