All posts in GDPR

The Hidden Force That Will Drive GDPR Privacy Compliance

Daniel Solove
Founder of TeachPrivacy

GDPR Compliance

 

The clock is ticking on getting ready to comply with the EU General Data Protection Regulation (GDPR). EU regulators will start enforcing it on May 25, 2018.

GDPR is less than a year away, and it’s quite a challenge to get ready for. Becoming compliant is not something that can be achieved overnight, or in a week, or in a month, or even in quarter.  A lot of privacy and security controls must be put into place or adapted to satisfy new EU standards and rights.

.

Continue Reading

Preparing for GDPR: A Year to Batten Down the Hatches

Daniel Solove
Founder of TeachPrivacy

The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018.  The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.

Continue Reading

The U.S. Congress Is Not the Leader in Privacy or Data Security Law

Daniel Solove
Founder of TeachPrivacy

Capitol Sinking 01

A common myth is that the U.S. Congress is a leader in creating privacy and data security law.  But this has not been true for quite some time.  Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.

In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws.  Here are some of the most prominent of these statutes:

Continue Reading

Congress’s Attempt to Repeal the FCC Internet Privacy Rules: The Void Will Be Filled

Daniel Solove
Founder of TeachPrivacy

FCC Privacy Rules Repealed

Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs).  The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements.  Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications.  The rules required reasonable data security protections as well as data breach notification.

FCC LogoThis development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed.  There are many other regulators and sources of privacy law to fill the void.

Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules.  They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.

Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry.  In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies..  But nature abhors a vacuum.  Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU.  They are far more likely to regulate privacy even more stringently than the FCC or FTC.

In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation.  This is what happened with data security regulation and data breach notification.  Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law.  But it failed to act.  Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws.  Instead of having to comply with one law, companies must navigate laws in many states.  The most common strategy for companies operating in all states  is to try to follow the strictest state law,  Thus, the de facto rule is the law of the state with the most strict protections.

Continue Reading

Privacy Cartoon: Privacy Budget vs. Security Budget

Daniel Solove
Founder of TeachPrivacy

 

Cartoon Privacy vs. Security Budget

My cartoon depicts the discrepancy in the security and privacy budgets at many organizations.  Of course, the cartoon is an exaggeration.  In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were.  That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.

Fortunately, it does appear that privacy budgets have increased according to the 2016  IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world.  Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.

Continue Reading

GDPR Cartoon: Taking Privacy Seriously

Daniel Solove
Founder of TeachPrivacy

cartoon-gdpr-training-privacy-shield-training-02

I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy.  More work gets thrown onto the shoulders of under-resourced privacy departments.

It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization.  Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018.  It’s never too early for organizations to start preparing.  GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases.  For more information, see the FAQ page I created about the GDPR and privacy awareness training.

Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take.  Privacy office budgets and sizes should be going up by a lot these days.

Continue Reading

Privacy Shield Training

Daniel Solove
Founder of TeachPrivacy

Privacy Shield Training Course

I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework.  Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US.  Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.

Continue Reading

A New US-EU Safe Harbor Agreement Has Been Reached

Daniel Solove
Founder of TeachPrivacy

EU-US Privacy Shield Safe Harbor Training

Last year, the death of the US-EU Safe Harbor Arrangement sent waves of shock and despair to the approximately 4500 companies that used this mechanism to transfer personal data from the US to the EU.  But a new day has dawned.

Continue Reading