This document discusses data privacy and protection. It provides insights from internal and external experts on this topic. It addresses issues like how new European guidelines will affect information managers and what IT teams need to know about data retention. Specific topics covered include the safe harbour ruling between European and US data privacy laws, defining personal data and retention policies, and how new data privacy laws impact records managers and what IT needs to know.
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Dr. Donald Macfarlane
The document discusses how Britain's decision to exit the EU makes compliance with the General Data Protection Regulation (GDPR) even more important for businesses. The GDPR will apply from May 2018 and regulates how personal data of EU citizens is handled. It creates unified data protection across EU countries and non-compliance can result in large fines. The Brexit vote occurred after the GDPR was published, so businesses processing EU citizens' data will still need to comply with the GDPR whether they operate inside or outside the EU. The document provides examples of best practices for complying with GDPR rights like access, rectification, erasure, and outlines how understanding where data resides is crucial.
No Man is an Island: The Battle for Data PrivacyKate Chan
The document discusses upcoming changes to data protection legislation in Europe and the implications for companies. The EU General Data Protection Regulation (GDPR) will replace the 1995 Data Protection Directive in May 2018, imposing stricter rules around data collection, use, and transfers. It also discusses the replacement of the invalidated US-EU Safe Harbor agreement with the new EU-US Privacy Shield framework and the uncertainty caused by Brexit. The implications are that companies will need to devote more resources to data compliance and mobile ediscovery solutions may help address issues around cross-border data transfers and GDPR requirements.
1) The document discusses restrictions on transferring personal data outside of the EU under current EU law and how companies are increasingly using Binding Corporate Rules (BCRs) to manage cross-border data transfers and ensure privacy compliance.
2) BCRs allow companies to streamline privacy policies and processes globally while providing flexibility. They create trust within companies and with consumers.
3) Most current cross-border data transfer options under EU law have limitations, while BCRs offer a comprehensive solution as they are expressly acknowledged as a valid transfer method under the upcoming EU General Data Protection Regulation.
Legal & General Surveying Services have published an article in their magazine Perspective on The General Data Protection Regulation (GDPR), due April of next year, which will govern how businesses process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act.
The document discusses the GDPR requirements for data masking and pseudonymization. It provides context on the GDPR and how it aims to update privacy laws for a modern, digital world. The GDPR introduces legal definitions for pseudonymization, which refers to approaches like data masking that secure personal data in a way that indirect identities are still protected. It highlights how data masking technologies can help companies comply with the GDPR while maintaining data quality for analysis. Companies that fail to implement appropriate measures like pseudonymization could face fines up to 4% of global turnover under the GDPR.
EU Privacy for US Businesses - Presentation to Union Square VenturesRob Blamires
This document summarizes key information about European data privacy laws for US businesses. It provides an overview of data privacy concepts like personal data, data processing, and the rights of data subjects. It then addresses common questions US clients have, such as whether US privacy policies can be used in Europe and how personal data can be transferred outside the EU. Recent developments around cookie consent rules and enforcement actions are also discussed. The document concludes with some key takeaways around US business obligations to comply with EU data protection law.
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Dr. Donald Macfarlane
The document discusses how Britain's decision to exit the EU makes compliance with the General Data Protection Regulation (GDPR) even more important for businesses. The GDPR will apply from May 2018 and regulates how personal data of EU citizens is handled. It creates unified data protection across EU countries and non-compliance can result in large fines. The Brexit vote occurred after the GDPR was published, so businesses processing EU citizens' data will still need to comply with the GDPR whether they operate inside or outside the EU. The document provides examples of best practices for complying with GDPR rights like access, rectification, erasure, and outlines how understanding where data resides is crucial.
No Man is an Island: The Battle for Data PrivacyKate Chan
The document discusses upcoming changes to data protection legislation in Europe and the implications for companies. The EU General Data Protection Regulation (GDPR) will replace the 1995 Data Protection Directive in May 2018, imposing stricter rules around data collection, use, and transfers. It also discusses the replacement of the invalidated US-EU Safe Harbor agreement with the new EU-US Privacy Shield framework and the uncertainty caused by Brexit. The implications are that companies will need to devote more resources to data compliance and mobile ediscovery solutions may help address issues around cross-border data transfers and GDPR requirements.
1) The document discusses restrictions on transferring personal data outside of the EU under current EU law and how companies are increasingly using Binding Corporate Rules (BCRs) to manage cross-border data transfers and ensure privacy compliance.
2) BCRs allow companies to streamline privacy policies and processes globally while providing flexibility. They create trust within companies and with consumers.
3) Most current cross-border data transfer options under EU law have limitations, while BCRs offer a comprehensive solution as they are expressly acknowledged as a valid transfer method under the upcoming EU General Data Protection Regulation.
Legal & General Surveying Services have published an article in their magazine Perspective on The General Data Protection Regulation (GDPR), due April of next year, which will govern how businesses process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act.
The document discusses the GDPR requirements for data masking and pseudonymization. It provides context on the GDPR and how it aims to update privacy laws for a modern, digital world. The GDPR introduces legal definitions for pseudonymization, which refers to approaches like data masking that secure personal data in a way that indirect identities are still protected. It highlights how data masking technologies can help companies comply with the GDPR while maintaining data quality for analysis. Companies that fail to implement appropriate measures like pseudonymization could face fines up to 4% of global turnover under the GDPR.
EU Privacy for US Businesses - Presentation to Union Square VenturesRob Blamires
This document summarizes key information about European data privacy laws for US businesses. It provides an overview of data privacy concepts like personal data, data processing, and the rights of data subjects. It then addresses common questions US clients have, such as whether US privacy policies can be used in Europe and how personal data can be transferred outside the EU. Recent developments around cookie consent rules and enforcement actions are also discussed. The document concludes with some key takeaways around US business obligations to comply with EU data protection law.
6 Lesson GDPR Booklet from Varonis to help stay get compliant and stay compliant.
-Locate your sensitive data
-Prevent data breaches
-Rapidly alert to suspicious behavior
-Build long-term data Security
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
Do You Have a Roadmap for EU GDPR Compliance?
Description : The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.
Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?
Webcast URL : https://www.brighttalk.com/webcast/14723/259741
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Amministratore Bluefactor
This document discusses the differences between electronic discovery (e-discovery) in the European Union and United States. EU data protection laws strictly regulate personal data as a fundamental right and impose limitations on processing and transferring personal data outside of the EU. In contrast, US civil discovery rules allow for broad collection of relevant information. This creates conflicts for US companies with EU affiliates involved in US litigation. Potential solutions include anonymizing personal data, obtaining protective orders, and following EU data transfer requirements.
Electronic discovery (e-discovery) procedures differ significantly between the EU and US. In the EU, data protection is considered a human right and the Data Protection Directive 95/46/EC strictly regulates processing of personal data. E-Discovery of personal data requires consent or legitimate interest balanced with individual rights. In contrast, US civil procedures allow broad discovery of relevant information. This creates conflicts for US companies with EU affiliates subject to both rules. Potential solutions include filtering personal data, anonymization, and protective orders, but companies may still face risks under both regulatory regimes.
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
Multinationals and their supply chains are facing increasing challenges around data privacy and compliance as regulations tighten. Companies must appoint data protection officers and enhance understanding of information risk among legal and supply chain teams. Strict privacy laws and the potential for high penalties mean companies can no longer overlook smaller suppliers, who may be vulnerable targets and threaten the entire supply chain with a breach. Firms must carefully manage data security at every point to ensure protection.
EU GDPR Lesson 1 - What is the GDPR? Why do we need it?
EU GDPR Lesson 2 - Data Protection by Design and by Default
EU GDPR Lesson 3 - The Right To Be Forgotten
EU GDPR Lesson 4 - Who Does the EU GDPR Apply?
EU GDPR Lesson 5 - What Happens if I Don’t Comply with the EU GDPR?
EU GDPR Lesson 6 - Next Steps - How to Get There?
Over the past few years of monitoring the development of the EU General Data Protection Regulation (GDPR) and its effects on technology, we’ve distilled the parts of the regulation that most affect your business into this practical guide.
The document discusses the EU General Data Protection Regulation (GDPR), which took effect in May 2018. It provides the following key points:
- The GDPR replaced the previous EU data protection directive and directly applies across all EU member states. It aims to give individuals more control over their personal data.
- Key aspects of the GDPR include expanded territorial reach, requirements for data protection officers, increased accountability and privacy by design principles, strengthened rights for data subjects, and larger maximum fines for noncompliance.
- Companies need to review their data processing activities, legal bases for processing, consent mechanisms, security, breach response plans, and privacy notices to ensure compliance with the extensive new obligations and standards introduced by the GD
GDPR is the new EU regulation governing personal data security that applies to all companies doing business in the EU. It grants EU citizens rights to access and delete their personal data. Non-compliance can result in fines of up to 4% of global revenues. All companies that collect or use personal data of EU citizens must comply with GDPR regulations around data access, storage, and deletion. Financial institutions will face additional challenges around tracking documents containing personal data and being able to delete data upon request.
GDPR is the new EU regulation governing personal data security that applies to all companies doing business in the EU. It grants EU citizens rights to access and delete their personal data. Non-compliance can result in fines of up to 4% of global revenues. All companies that collect or use personal data of EU citizens must comply, including companies outside of Europe. Financial institutions will have additional requirements such as being able to delete personal data upon request and keeping auditable records of all documents containing personal data. Centralized control of GDPR compliance is recommended given the large potential fines for non-compliance.
This presentation explores the risk facing all charities and businesses if adequate thought is not given to the protection and security of one of its most treasured assets, its website.
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
The document discusses the challenges facing public sector organizations in the EU in adopting cloud solutions due to concerns over privacy and data protection. Recent legal changes like the invalidation of the Safe Harbor agreement and the passage of CISA in the US have increased worries that personal data of EU citizens could be accessed by US intelligence agencies. The upcoming GDPR will also broaden the definition of personal data and increase responsibilities of organizations. To address these risks, the document proposes a "franchise" model where a local EU entity acts as the data processor and is contractually separated from the non-EU cloud provider to ensure data remains outside of US jurisdiction.
The document provides guidance to companies on becoming compliant with the General Data Protection Regulation (GDPR). It explains what GDPR is and how it strengthens data protection rules in the EU. It then outlines the key changes under GDPR and presents a process flow for how a company can achieve compliance, including awareness campaigns, assessing risks and current state, implementing changes, updating policies and notices, and ongoing training. It identifies areas companies should analyze like marketing, IT, legal, and provides questions they should ask to validate compliance. The deadline for compliance is May 25, 2018.
This document provides guidance for companies outside the EU on complying with the General Data Protection Regulation (GDPR). It discusses how the GDPR applies extraterritorially to non-EU companies that offer goods/services to or monitor EU citizens. It outlines key GDPR concepts like personal data, data controllers, processors, and consent requirements. It recommends companies inventory all data storage locations, review contracts, and assess if a Data Protection Officer is required. It also covers data breach notification timelines and potential fines for noncompliance.
Read about the data privacy protection & advisory in India - evolving rights and obligations related to data privacy & the implementation of data protection reforms.
The document discusses key priorities for boards to consider regarding implementation of the General Data Protection Regulation (GDPR). It provides an overview of the new requirements under GDPR, including expanded individual data rights for EU citizens, increased fines for noncompliance, and broader territorial scope. The document advises boards to ensure proper oversight of their organization's GDPR compliance programs, including regular reporting on status, audits, investigations and market developments. Directors could face liability for failing to oversee GDPR compliance risks.
Are you ready for the General Data Protection Regulation?
VILT has compiled this Frequently Asked Questions document. Read about what it is and how we can help.
The document discusses the need for consistent global legislation around data privacy and cybersecurity to help businesses protect customer and supplier information. Upcoming reforms to European Union privacy laws will affect businesses worldwide, highlighting the need for collaboration between the EU and United States on a cross-border approach. Differences in privacy laws between regions currently hinder businesses operating globally and cloud computing services.
The document summarizes the keynote presentation "Legal Implications of a Mobile Enterprise" given by Brad Frazer at the 2nd Annual IT Symposium. The presentation discusses the various legal issues and exposures that enterprises face as employees increasingly use mobile devices and social media for work purposes. It highlights recent court cases involving mobile platforms and gives examples of how instant messages and social media posts can modify contracts or be subject to laws like CAN-SPAM. The presentation stresses that mobile usage multiplicity legal risks and the roles of IT, HR, management and legal in developing cooperative strategies to address issues.
The document provides an overview of the General Data Protection Regulation (GDPR) that goes into effect in the European Union on May 25, 2018. Some key points:
- GDPR strengthens data protection rights for EU citizens and applies to any organization that collects data from EU individuals, regardless of location.
- It establishes high fines for noncompliance (up to 4% of global revenue or 20 million euros) and requires clear and easy-to-withdraw consent for data collection and use.
- Individuals have new rights regarding their data, including rights to access, correct, and delete personal data, and object to automated decision making. Organizations must also notify about data breaches.
- While
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
The webinar covers:
• What is Safe Harbour, and how companies were relied on it
• How the end of it will affect US firms
• What will happen next
• How companies will react
• The implications of this act
• What is the solution to this
Presenter:
This session was hosted by Mr. Graeme Parker, Managing Director of Parker Solutions Group, a PECB representative in UK. Mr. Parker has more than 20 years of experience in information security, and data privacy, and was also involved with many companies that were relied on Safe Harbour.
Link of the recorded session published on YouTube: https://youtu.be/cbPUTVtxem0
6 Lesson GDPR Booklet from Varonis to help stay get compliant and stay compliant.
-Locate your sensitive data
-Prevent data breaches
-Rapidly alert to suspicious behavior
-Build long-term data Security
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
Do You Have a Roadmap for EU GDPR Compliance?
Description : The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.
Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?
Webcast URL : https://www.brighttalk.com/webcast/14723/259741
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Amministratore Bluefactor
This document discusses the differences between electronic discovery (e-discovery) in the European Union and United States. EU data protection laws strictly regulate personal data as a fundamental right and impose limitations on processing and transferring personal data outside of the EU. In contrast, US civil discovery rules allow for broad collection of relevant information. This creates conflicts for US companies with EU affiliates involved in US litigation. Potential solutions include anonymizing personal data, obtaining protective orders, and following EU data transfer requirements.
Electronic discovery (e-discovery) procedures differ significantly between the EU and US. In the EU, data protection is considered a human right and the Data Protection Directive 95/46/EC strictly regulates processing of personal data. E-Discovery of personal data requires consent or legitimate interest balanced with individual rights. In contrast, US civil procedures allow broad discovery of relevant information. This creates conflicts for US companies with EU affiliates subject to both rules. Potential solutions include filtering personal data, anonymization, and protective orders, but companies may still face risks under both regulatory regimes.
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
Multinationals and their supply chains are facing increasing challenges around data privacy and compliance as regulations tighten. Companies must appoint data protection officers and enhance understanding of information risk among legal and supply chain teams. Strict privacy laws and the potential for high penalties mean companies can no longer overlook smaller suppliers, who may be vulnerable targets and threaten the entire supply chain with a breach. Firms must carefully manage data security at every point to ensure protection.
EU GDPR Lesson 1 - What is the GDPR? Why do we need it?
EU GDPR Lesson 2 - Data Protection by Design and by Default
EU GDPR Lesson 3 - The Right To Be Forgotten
EU GDPR Lesson 4 - Who Does the EU GDPR Apply?
EU GDPR Lesson 5 - What Happens if I Don’t Comply with the EU GDPR?
EU GDPR Lesson 6 - Next Steps - How to Get There?
Over the past few years of monitoring the development of the EU General Data Protection Regulation (GDPR) and its effects on technology, we’ve distilled the parts of the regulation that most affect your business into this practical guide.
The document discusses the EU General Data Protection Regulation (GDPR), which took effect in May 2018. It provides the following key points:
- The GDPR replaced the previous EU data protection directive and directly applies across all EU member states. It aims to give individuals more control over their personal data.
- Key aspects of the GDPR include expanded territorial reach, requirements for data protection officers, increased accountability and privacy by design principles, strengthened rights for data subjects, and larger maximum fines for noncompliance.
- Companies need to review their data processing activities, legal bases for processing, consent mechanisms, security, breach response plans, and privacy notices to ensure compliance with the extensive new obligations and standards introduced by the GD
GDPR is the new EU regulation governing personal data security that applies to all companies doing business in the EU. It grants EU citizens rights to access and delete their personal data. Non-compliance can result in fines of up to 4% of global revenues. All companies that collect or use personal data of EU citizens must comply with GDPR regulations around data access, storage, and deletion. Financial institutions will face additional challenges around tracking documents containing personal data and being able to delete data upon request.
GDPR is the new EU regulation governing personal data security that applies to all companies doing business in the EU. It grants EU citizens rights to access and delete their personal data. Non-compliance can result in fines of up to 4% of global revenues. All companies that collect or use personal data of EU citizens must comply, including companies outside of Europe. Financial institutions will have additional requirements such as being able to delete personal data upon request and keeping auditable records of all documents containing personal data. Centralized control of GDPR compliance is recommended given the large potential fines for non-compliance.
This presentation explores the risk facing all charities and businesses if adequate thought is not given to the protection and security of one of its most treasured assets, its website.
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
The document discusses the challenges facing public sector organizations in the EU in adopting cloud solutions due to concerns over privacy and data protection. Recent legal changes like the invalidation of the Safe Harbor agreement and the passage of CISA in the US have increased worries that personal data of EU citizens could be accessed by US intelligence agencies. The upcoming GDPR will also broaden the definition of personal data and increase responsibilities of organizations. To address these risks, the document proposes a "franchise" model where a local EU entity acts as the data processor and is contractually separated from the non-EU cloud provider to ensure data remains outside of US jurisdiction.
The document provides guidance to companies on becoming compliant with the General Data Protection Regulation (GDPR). It explains what GDPR is and how it strengthens data protection rules in the EU. It then outlines the key changes under GDPR and presents a process flow for how a company can achieve compliance, including awareness campaigns, assessing risks and current state, implementing changes, updating policies and notices, and ongoing training. It identifies areas companies should analyze like marketing, IT, legal, and provides questions they should ask to validate compliance. The deadline for compliance is May 25, 2018.
This document provides guidance for companies outside the EU on complying with the General Data Protection Regulation (GDPR). It discusses how the GDPR applies extraterritorially to non-EU companies that offer goods/services to or monitor EU citizens. It outlines key GDPR concepts like personal data, data controllers, processors, and consent requirements. It recommends companies inventory all data storage locations, review contracts, and assess if a Data Protection Officer is required. It also covers data breach notification timelines and potential fines for noncompliance.
Read about the data privacy protection & advisory in India - evolving rights and obligations related to data privacy & the implementation of data protection reforms.
The document discusses key priorities for boards to consider regarding implementation of the General Data Protection Regulation (GDPR). It provides an overview of the new requirements under GDPR, including expanded individual data rights for EU citizens, increased fines for noncompliance, and broader territorial scope. The document advises boards to ensure proper oversight of their organization's GDPR compliance programs, including regular reporting on status, audits, investigations and market developments. Directors could face liability for failing to oversee GDPR compliance risks.
Are you ready for the General Data Protection Regulation?
VILT has compiled this Frequently Asked Questions document. Read about what it is and how we can help.
The document discusses the need for consistent global legislation around data privacy and cybersecurity to help businesses protect customer and supplier information. Upcoming reforms to European Union privacy laws will affect businesses worldwide, highlighting the need for collaboration between the EU and United States on a cross-border approach. Differences in privacy laws between regions currently hinder businesses operating globally and cloud computing services.
The document summarizes the keynote presentation "Legal Implications of a Mobile Enterprise" given by Brad Frazer at the 2nd Annual IT Symposium. The presentation discusses the various legal issues and exposures that enterprises face as employees increasingly use mobile devices and social media for work purposes. It highlights recent court cases involving mobile platforms and gives examples of how instant messages and social media posts can modify contracts or be subject to laws like CAN-SPAM. The presentation stresses that mobile usage multiplicity legal risks and the roles of IT, HR, management and legal in developing cooperative strategies to address issues.
The document provides an overview of the General Data Protection Regulation (GDPR) that goes into effect in the European Union on May 25, 2018. Some key points:
- GDPR strengthens data protection rights for EU citizens and applies to any organization that collects data from EU individuals, regardless of location.
- It establishes high fines for noncompliance (up to 4% of global revenue or 20 million euros) and requires clear and easy-to-withdraw consent for data collection and use.
- Individuals have new rights regarding their data, including rights to access, correct, and delete personal data, and object to automated decision making. Organizations must also notify about data breaches.
- While
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
The webinar covers:
• What is Safe Harbour, and how companies were relied on it
• How the end of it will affect US firms
• What will happen next
• How companies will react
• The implications of this act
• What is the solution to this
Presenter:
This session was hosted by Mr. Graeme Parker, Managing Director of Parker Solutions Group, a PECB representative in UK. Mr. Parker has more than 20 years of experience in information security, and data privacy, and was also involved with many companies that were relied on Safe Harbour.
Link of the recorded session published on YouTube: https://youtu.be/cbPUTVtxem0
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
Is it legal or illegal to use american cloud services in Europe?
Patricia Ayojedi presentation about the controversial between USA an Europe regarding cloud business.
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
The document discusses data privacy regulations and international standards for transferring personal data between the US and EU after key court rulings invalidated the EU-US Privacy Shield and placed additional requirements on standard contractual clauses. It provides an overview of Privacy Shield and Schrems II, recommendations for focusing on accessible data, identifying personal data, governance, ongoing protection and audits to protect data after Privacy Shield. It also discusses the impact of GDPR and differences between pseudonymization under GDPR versus prior definitions.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
With General Data Protection Regulation (GDPR) a legal requirement for all UK companies from May 2018, there have been numerous articles written either demonstrating the confusion surrounding the new regulations, or detailing the downsides of the legislation.
1. The GDPR significantly changes data protection requirements for companies doing business in the EU and increases obligations for advertisers and networks/publishers who can now be jointly liable. It comes into effect in May 2018 with fines up to 4% of global revenue.
2. Under the GDPR, personal data is more broadly defined and users have more rights around consent, access, and removal of their data. Requirements around ad profiling and tracking remain unclear as guidance is still pending.
3. Companies should map their data flows, review consents and policies, and engage regulators to understand impacts on their business from the GDPR. Industry alignment with the FTC is also discussed.
Cognizant business consulting the impacts of gdpraudrey miguel
GDPR will fundamentally change the approach to personal data protection in Europe beginning in May 2018. It aims to give individuals greater control over their personal data and places more responsibility on organizations to demonstrate appropriate consent and data usage. While Swiss law already protects personal data, recent updates to Switzerland's Federal Act on Data Protection are intended to closely align it with GDPR. Organizations need to start implementing programs now to assess their compliance and address new requirements around data usage, security, individual rights and oversight.
This document provides a preview of key privacy and data security trends and issues that organizations should prepare for in 2017. It highlights major developments and challenges, such as the implementation of the EU's General Data Protection Regulation (GDPR), uncertainty around the EU-US Privacy Shield agreement, growing momentum to regulate privacy in internet-connected devices, and increasing privacy litigation and cyber threats. The document advises organizations to undertake assessments, update policies and procedures, and budget adequately to strengthen compliance and mitigate risks arising from these evolving laws, regulations and technologies.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
The document discusses the General Data Protection Regulation (GDPR) which regulates how companies handle personal data of EU citizens. It provides an overview of GDPR including key events leading to its adoption and how it strengthens data protection rights. It highlights some notable differences between GDPR and the previous UK Data Protection Act. The document also outlines an approach for companies to become GDPR compliant including conducting a data assessment, updating policies and processes, and appointing a data protection officer if needed. It notes both the penalties for non-compliance and opportunities that GDPR presents organizations.
The GDPR replaces the EU Data Protection Directive and introduces stricter regulations around personal data processing and privacy. It applies to all companies that handle the personal data of EU residents, regardless of the company's location. Under the GDPR, companies face heavier obligations like obtaining consent to collect personal data, appointing a data protection officer, implementing security measures, notifying about data breaches, and heavy fines for noncompliance. It also expands individuals' privacy rights regarding their personal data.
For today’s digital businesses, being prepared to meet new compliance requirements when storing and managing consumer data will not only minimize risk, but also enable more valued and trusted customer experiences that drive increased loyalty, engagement and revenue. To gain better perspective on this important issue, it’s important to understand:
- The trends driving governmental regulatory shifts and the basic tenets of these new laws
- The challenges faced by executives across the enterprise when managing privacy compliance for consumer data
- The emergence of cloud-based solutions that help businesses manage privacy compliance by acting as end-to-end customer data storage and management solutions that are far more scalable and flexible than legacy systems
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
This document discusses 10 common myths regarding compliance with the EU's General Data Protection Regulation (GDPR), which takes effect in May 2018. It aims to clarify misunderstandings about GDPR requirements.
The first myth addressed is that GDPR compliance is a one-time project like preparing for Y2K, but GDPR actually requires ongoing processes. The second myth is that no one will be fined, but regulators are likely to target large firms to set examples and fines could be up to 4% of revenue. The third myth is that all noncompliance will result in the maximum 4% fine, but fines will depend on factors like severity of the violation.
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxtodd581
Running Head: PRIVACY AND CYBERSECURITY 1
PRIVACY AND CYBERSECURITY 3
PRIVACY AND CYBERSECURITY
Name
Institution
PRIVACY AND CYBERSECURITY
For some time now, the discussion regarding the convergence between data privacy and cybersecurity has been raging on (Burn, 2018). There has been new laws being put in place in a bid to regulate the manner in which people’s private data is collected, used, disclosed and disposed (Bhatia et al, 2016). On the hand, cyber-attacks have spirited exponentially as well as numerous cases of data breaches and unauthorized access and use of personal data. There is need for persons and organizations to understand their rights and obligations regarding such critical personal data as health, financial as well as other information that can be identified as critical. This is one area that is now more than ever very critical for business and almost every other sector in our dynamic world. That said, it is only important to delve into this matter, by means of reviewing the new data privacy laws and regulations, and cybersecurity and personal data protection best practices.
In simple sense, with the experienced rise of large amounts of data and machine learning, the issues of privacy and cybersecurity are converging. What was some time ago an abstract concept that was aimed at ensuring that the expectations of our data were protected has now become concrete and critical matter, to match the level of the threats posed by cybercriminals whose would really like to access our data without our authorization. Looking at it more specifically, the biggest threat to our digital selves is that threat of unauthorized access of our personal information. In days gone by, privacy and security were perhaps largely separate functions that seemed to move almost in a parallel manner. Security took the front seat, thanks to the more tangible concerns about it as privacy took a backseat. Nowadays, their lines have met thanks to extensive machine learning techniques that we have in place. Once data is generated, any person who comes into possession of that poses new dangers to not only our privacy but also security.
With all this in mind, it is perhaps too obvious that the world has reacted in a bid to control this problem. In that accord, new data regulations have been put in place to try as much as possible to mitigate the threats posed by data breaches and unauthorized access of personal data. Examples of the recent data protection laws and regulations put in place are the Global Data Protection Regulation (GDPR) that were enforced in May 2018 (Burn, 2018). The regulation brought with it far-reaching alterations in policies regarding privacy and data security in the European Union and ultimately in the whole world. This is because companies handling data of individuals residing within the EU have to align with the regulation on how that data is managed and/or shared. Some of the far reaching provisions that companies mus.
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxglendar3
Running Head: PRIVACY AND CYBERSECURITY 1
PRIVACY AND CYBERSECURITY 3
PRIVACY AND CYBERSECURITY
Name
Institution
PRIVACY AND CYBERSECURITY
For some time now, the discussion regarding the convergence between data privacy and cybersecurity has been raging on (Burn, 2018). There has been new laws being put in place in a bid to regulate the manner in which people’s private data is collected, used, disclosed and disposed (Bhatia et al, 2016). On the hand, cyber-attacks have spirited exponentially as well as numerous cases of data breaches and unauthorized access and use of personal data. There is need for persons and organizations to understand their rights and obligations regarding such critical personal data as health, financial as well as other information that can be identified as critical. This is one area that is now more than ever very critical for business and almost every other sector in our dynamic world. That said, it is only important to delve into this matter, by means of reviewing the new data privacy laws and regulations, and cybersecurity and personal data protection best practices.
In simple sense, with the experienced rise of large amounts of data and machine learning, the issues of privacy and cybersecurity are converging. What was some time ago an abstract concept that was aimed at ensuring that the expectations of our data were protected has now become concrete and critical matter, to match the level of the threats posed by cybercriminals whose would really like to access our data without our authorization. Looking at it more specifically, the biggest threat to our digital selves is that threat of unauthorized access of our personal information. In days gone by, privacy and security were perhaps largely separate functions that seemed to move almost in a parallel manner. Security took the front seat, thanks to the more tangible concerns about it as privacy took a backseat. Nowadays, their lines have met thanks to extensive machine learning techniques that we have in place. Once data is generated, any person who comes into possession of that poses new dangers to not only our privacy but also security.
With all this in mind, it is perhaps too obvious that the world has reacted in a bid to control this problem. In that accord, new data regulations have been put in place to try as much as possible to mitigate the threats posed by data breaches and unauthorized access of personal data. Examples of the recent data protection laws and regulations put in place are the Global Data Protection Regulation (GDPR) that were enforced in May 2018 (Burn, 2018). The regulation brought with it far-reaching alterations in policies regarding privacy and data security in the European Union and ultimately in the whole world. This is because companies handling data of individuals residing within the EU have to align with the regulation on how that data is managed and/or shared. Some of the far reaching provisions that companies mus.
The document discusses the new EU General Data Protection Regulation (GDPR) which significantly strengthens data protection laws for individuals and businesses. It will apply to any company that handles European citizens' data. Key implications of the GDPR include stricter rules around data breaches, privacy policies, consent procedures, and significantly increased fines for non-compliance. Businesses need to take action to be prepared and comply with the new regulations which take effect in 2018. Cloud security and access will be increasingly important areas to address under the GDPR's requirements.
The document discusses the new EU General Data Protection Regulation (GDPR) which significantly strengthens data protection laws for individuals and businesses. It will apply to any company that handles European citizens' data. Key implications of the GDPR include stricter rules around data breaches, privacy policies, consent procedures, and significantly increased fines for non-compliance. Businesses need to take action to ensure they are prepared and compliant with the new regulations which take effect in 2018.
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docxjeanettehully
Running Head: THE IMPACT OF GDPR ON GLOBAL IT POLICIES 1
THE IMPACT OF GDPR ON GLOBAL IT POLICIES 3
THE IMPACT OF GDPR ON GLOBAL IT POLICIES
Abstract
The General Regulation of the EU on Data Protection (GDPR) provides essential safeguards in the field of privacy, which offer new challenges and potential opportunities for organizations worldwide. However, worldwide organizations must make GDPR compliance changes to minimize GDPR liability. This editorial preface discusses the benefits and threats of the effect of GDPR on global technology growth. We also speak about how China and the US, the two world economic giants, could respond more effectively to GDPR threats and possibilities.
Introduction
The GDPR, which became law on May 25, 2018, is a data protection law that establishes rules on the collection, storage, and management of data of persons living in the European Union (EU, 2016). This legislation applies to all individuals residing in the EU. To satisfy the new demands on privacy raised by digital technology advancement, the new law increases EU data protection. Although the GDPR also covers EU citizens, it has a global impact that impacts every EU business entity that provides services or keeps data regarding EU nationals, which are personally identifiable.
GDPR offers users with a broad degree of control to be overlooked, including the right to withdraw permission. In the same period, the information controllers and processors, including data protection, are required to record all their processing activities by the layout and by necessity. GDPR notes that businesses must seek the customer's permission for data collection and ' implementing successful technological and functional measures ' to protect personal data for EU citizens. (Kaushik et al. 2018).
In May 2018, the European Union adopted a General Data Protection Regulation, which drew a specific conclusion regarding the worlds most detailed and common law on data security, with substantial and unexpected consequences on multinationals. In the months before it began, both inside and outside of Europe, businesses failed to adhere. However, as many as 80% of the firms concerned were still short of this goal on the eve of enforcement.
A year on, businesses continue to work to achieve full conformity with their newly founded regulations. The government will be more confident. Data processing and the processing of complaints in most European countries have doubled, although businesses of all sizes develop violations and associated penalties practices and processes.
The non-conformity to GDPR was held accountable by organizations that process data belonging to EU citizens. GDPR offers a new obstacle, as well as potentially stricter security measures, protocols, and procedures to protect, handle and maintain your data and ensure compliance with GDPR, technology firms, and providers of cloud services, data centers, and advertisers. Afterward, we were probably subjected to s ...
Ø Data protection principles set out the main responsibilities for organizations handling personal data, including processing data fairly and lawfully, only collecting data needed for the purpose, keeping data accurate, not storing it longer than needed, securing the data, and being accountable.
Ø Organizations must have a lawful basis to process personal data and do so in a transparent way by providing privacy notices. They can only use data for the specified purpose, not indefinitely or for new unspecified purposes. They must also minimize the data collected, keep it accurate, securely delete unneeded data, and keep records demonstrating compliance.
Similar to Data_Privacy_Protection_brochure_UK (20)
2. Data privacy
and protectionis a hot topic at the moment—and why
wouldn’t it be? With major data breaches in the news nearly every day, the
privacy of personal and business information is on the minds of companies
across the globe. This eBook gathers data privacy and protection insights from
internal Iron Mountain experts, along with external experts on the subject.
It addresses a wide range of issues, from what information managers should
learn from new European guidelines, to what your IT team needs to know
about retention.
CONCLUSION 12 ›
SAFE HARBOUR 3 ›
Safe Harbour Ruling Highlights Discrepancies
Between European and U.S. Data Privacy Laws
PERSONAL DATA 5 ›
Personal Data is Not a Commodity
DATA PRIVACY LAWS 7 ›
How Do New Data Privacy Laws Affect Records Managers?
5 THINGS IT NEEDS TO KNOW 8 ›
5 Things Your IT Team Needs to Know about Data Privacy
DEFINING RETENTION POLICIES 10 ›
5 Steps To Defining Your Retention Policies
2
3. SAFE HARBOUR RULING HIGHLIGHTS
DISCREPANCIES BETWEEN EUROPEAN AND
U.S. DATA PRIVACY LAWS
In early October 2015, a key agreement that allows
the transfer of European residents’ personal data
from the European Economic Area (EEA) to the U.S.
called ‘Safe Harbour’ was deemed invalid by Europe’s
top court.
The European Court of Justice (ECJ) made the
landmark ruling on the agreement which has been
in place since 2000. The court concluded that the
agreement did not provide adequate protection for
personal data in the context of access by intelligence
agencies, an issue brought to light by former National
Security Agency (NSA) contractor Edward Snowden,
and Austrian student Max Schrems, who filed a
complaint against Facebook to the Irish data protec
tion authority after Snowden’s publications in 2013.
What Happens Now?
Companies need to find another mechanism to
legally “export” (or grant access to) personal data
outside the EEA. The various options are discussed
below. In addition, the ECJ confirmed that national
data protection authorities have the authority to
examine whether transfers of personal data to a
third country meet the requirements of the EU data
protection legislation.
Different countries and organisations have had a
wide range of reactions to the ruling. Some data
protection authorities (DPAs) have suggested a ban
on most U.S. transfers, others have reached out to
companies that have relied on the Safe Harbour,
reminding them to implement a compliant solution,
while the UK is telling its businesses not to panic.
The so-called Article 29 working party (which rep
resents all EU data protection authorities) set a
deadline of the end of January 2016 to implement a
compliant alternative to Safe Harbour. While work
on ‘Safe Harbour 2’ continues, most DPAs have
stated that transfers to the U.S. should be treated in
the same way as transfers to most other major
economies outside of the EEA, and legitimised using
one of the other transfer options available.
There are four major options for
Safe Harbour moving forward.
OPTION 1:
Option one is, as mentioned above, a second version
of Safe Harbour. The parties hope to reach a new
agreement in early 2016, but it is not certain that an
agreement can be reached before the end of
January.
Michael Zurcher Julian Cunningham-Day
MICHAEL ZURCHER | Iron Mountain
JULIAN CUNNINGHAM-DAY | Linklaters LLP
3SAFE HARBOUR RULING HIGHLIGHTS
4. Worst Case Scenario?
If no workable solution is found, data storage solu
tions may have to be rethought. It may be easier
to house and grant access to European data in
Europe only. This solution is possible, but would
involve significant structural change for many organi
sations. EU regulators seem keen to encourage a
better outcome.
4
OPTION 2:
Option two is adopting Binding Corporate Rules (BCRs).
BCRs are an intra-group framework with different
elements (legally binding commitments, policies,
training, audit, etc.) that guarantees that European
personal data will be adequately protected within the
group. Implementing BRCs is a heavyweight process,
taking 12—18 months to gain approvals from DPAs.
It is also intra-group only and it is not clear how it
would limit access by U.S. intelligence agencies.
Implementing BRCs is a heavyweight
process, taking 12—18 months to gain
approvals from DPAs.
OPTION 3:
Option three focuses on Model Contracts. This is an
option that is already widely adopted by businesses
operating in the EEA, and likely to be the most com
mon alternative selection to Safe Harbour. It involves
entering into bilateral arrangements that can be
used with affiliates, 3rd party vendors or others with
which companies want to share data. Potential issues
include the fact that this solution also doesn’t pre
vent access by intelligence agencies and in some
countries additional complications arise from admin
istrative formalities (submissions of the model
clauses and translated and notarised documentation
relating to the signing authority of the officers
executing the clauses). In addition, under this ruling,
DPAs would be able to suspend their approval for the
use of Model Contracts.
OPTION 4:
Option four is really a partial solution focusing on
individual derogations (consent, contractual neces
sity, etc.). The issues with this solution include:
difficulties in obtaining valid consent from affected
individuals and the fact that other derogations (e.g.,
processing necessary for a contract with an individ
ual) only operate on a case-by-case basis.
Safe Harbour: Take Home
We are currently in a grace period as the EU
and US authorities try to negotiate an alterna
tive form of Safe Harbour (until end of January
2016), though this could be extended. Use the
remaining time to select an option that works
for your organisation. Like most multinational
companies, Iron Mountain has selected Option 3
and executed Model Contracts.
What Does this Mean for
Records Managers?
Records managers must ask the following
questions:
• To what extent does my organisation rely on
third party vendors in the U.S. for EU records/
data processing?
• On what basis does my organisation export
its data to such U.S. based vendors?
• Do any of our EU vendors subcontract work
to the U.S.?
• On what basis do these EU vendors export
their data to such U.S. based subcontractors?
• Do we have contracting arrangements in
place to ensure compliance works all the way
down the supply chain?
• Have I notified our procurement and
compliance partners about potential vendor
issues/changes?
SAFE HARBOUR RULING HIGHLIGHTS
5. The four year battle over the wording of the
European Union’s new Data Protection Regulation
was largely finished in December 2015, meaning it is
time to move on from the rhetoric of the opposing
camps to planning for implementation.
Personal Data: the Lifeblood of
Modern Life
Business wants one legal regime for personal data
across Europe. But the final agreed document is
at an uncomfortably high level for many companies.
Last month, Paul Nemitz, Director, Fundamental
Rights and Union Citizenship at the European Com
mission, gave a rare commendation to a specific
company for its privacy practices. He declared:
“Personal data is not a commodity. It is the life blood
of modern life in the 21st century. In European history
and culture, a person is not an object… Personal
data is like the stock market. If there is lack of
confidence, then the value of a company goes down.
Apple is strong on data and encryption, and is the
world’s highest value company on the stock market.”
He wanted to show that respect for personal data is
compatible with commercial success.
For anyone not wanting to struggle through the
209 page document, here are a few of the
Regulation’s most important strategic points for
your organisation:
People worry about what is happening with their
personal data. This can lead to distrust for businesses
and the government which holds and processes this
data. In the US, data breaches have been the main
focus of attention for companies and individuals
driven by state legislation starting with California.
But the emphasis in Europe is rights for individuals
and resulting heavyweight legal duties for companies.
Unambiguous Consent for the Collection
of Personal Data
Longstanding rights of access and correction are
now greatly expanded to include “unambiguous con
sent” for use of a person’s data and a right of data
portability. This means that, for example, individuals
will be entitled to transfer their mobile device records
from one supplier to get a quote from another.
Facebook was fined 250,000 euros a
day for violating Belgium privacy laws.
The Belgian court ruled that Facebook’s practice of
putting cookies on devices of non-Facebook
registered users visiting Facebook violates Belgian
data protection law. According to Facebook, these
cookies are necessary for security reasons. Whereas
people with Facebook accounts are more likely to
understand this process, visitors to Facebook who do
not have an account are unlikely to understand the
5
PERSONAL DATA
IS NOT A COMMODITY
STEWART DRESNER | privacylaws.com
PERSONAL DATA IS NOT A COMMODITY
6. 6 PERSONAL DATA IS NOT A COMMODITY
implications of their visit. The privacy policy relevant
to them is on page 10 of a 10 page policy and even
clicking on a Facebook “like” button or choosing a
language option is considered an opt-in according to
Facebook’s procedure.
This case is a preview of what can be expected when
the EU Data Protection Regulation enters into force
in 2018. The Data Protection Authorities will expect a
company, such as Facebook, which has not gained
“unambiguous consent” for use of a person’s data, to
comply with such orders in all territories of the EU as
a means of aiming for consistency with the
requirements of the EU Data Protection Regulation.
The General Data Protection
Regulation goes into effect in 2018.
More attention has been given to the Court of
Justice of the European Union. Last October, it was
determined in the Schrems case that the US-EU Safe
Harbour to be no longer valid as a legal basis for
transferring personal data from the European
Economic Area to the US. As a special deal for the
US based on self-regulation, some commentators
regarded the Safe Harbour as “neither safe nor a
harbour.” As a result, many multinational companies,
such as Salesforce, have quickly turned to legal
alternatives, EU model contracts and Binding
Corporate Rules.
European storage and cloud services
increasingly attractive
Seeing the direction of travel of the EU Data Protec
tion Regulation negotiations, many companies are
shifting their processing and storage of customer
and employee data to a country in the European
Union. This move will give companies more certainty
about a secure legal basis for their processing of
personal data. This is a substantial commercial
opportunity for cloud services that give customers
an opportunity to specify the country in which they
want to base their service. In the same way, some
traditionally US-based cloud services now offer
EU-based options. Microsoft is even running a long
legal battle in the New York courts denying that US
law applies to these EU-based services. An EU-based
archiving service is in some respects more attractive
than one based in the U.S.
7. 7
Data privacy laws are in the news a lot lately.
The proliferation of data and the growing number
of data hacks has put data privacy in the spotlight,
with many organisations left wondering where they
should go next with their current data privacy,
protection and compliance plans. The following is
information intended for records and information
managers, who may be one of the least-addressed
groups when it comes to this issue.
Ensure you have a voice in
your organisation.
New data protection laws will directly affect the way
you do business, and it’s imperative that your legal
department or external law firm is complemented by
your knowledge on day-to-day records management
process. The general tendency for organisations is
to dump all legal matters on external lawyers, but
these lawyers won’t be looking at your business’
operational needs from an information governance
perspective. The information governance stakeholder
group should have privacy as part of its remit and
the records manager should be a key player in
that group.
Take a pragmatic approach.
Make sure to connect and get the input of individuals
at your company who understand business operations
and strategy. The information governance stake
holders that adopt privacy issues will be able to
position solutions in a broader context that align to
those strategic and operational needs.
Don’t forget about paper.
Paper and data privacy: you may be wondering exactly
where I’m going with this. Most people talking about
data protection aren’t focusing on physical assets;
they’re focusing on digital data because of the high
profile cyber-attacks happening nearly every week.
However, paper is important in the data privacy
conversation precisely because it’s now so easy to
ignore. This raises potential threats surrounding your
records falling into the wrong hands. Though organi
sations are reducing their reliance on paper, nearly
every organisation still uses it in some format. This
disposable medium is posing an unseen risk. It’s all
this blog would have been about 15 years ago, and we
can’t forget about it now. That’s why secure informa
tion destruction is so important.
Paper also poses a risk in that it can be quite difficult
to find once misplaced. If you don’t have the indexing
and digitising plans in place to keep your information
well-organised, you may find yourself in hot water
when a disclosure or subject access request is sub
mitted. For the eighth consecutive year, the average
cost per lost or stolen record has risen. The figure
rose from €122 in 2014 to €133 per record in 2015,
according to Information Security Buzz. The longer
paper sits without any plan, the bigger risk it becomes.
After all, sometimes you don’t know what you’re
missing until you need it.
Lost or stolen records cost €133
per record in 2015, according to
Information Security Buzz.
Encourage information responsibility.
Getting control of your paper is just as important as
protecting your digital data. And it’s your job as a
record manager to make paper an equal priority.
HOW DO NEW DATA PRIVACY LAWS
AFFECT RECORDS MANAGERS?
GAVIN SIGGERS | Iron Mountain
NEW DATA PRIVACY LAWS
8. 8
With the onset of new data privacy laws being put
in place across Europe, it can be tempting as an
IT manager to let it all go over your head. After all,
what does that litigation have to do with you and
your company? In short, a lot. Here are some sugges
tions for improving your IT department’s focus on
data privacy.
1.
Fully understand the greater business
and its functions. If you don’t understand
your business units, you’ll never truly
understand what data they need to keep, why
they’re keeping it and for how long it must be
kept. To reach this goal, work on the ability to
communicate what the impacts are of keeping
that data in terms of time, money and risk.
The more you know about the business
functions, the more you can influence the
mindset of the C-suite and your business
partners—and keep control of your data so it
doesn’t control you.
2. Recognise the retention policies for
your company and industry. Understanding
what your organisation requires in terms of
compliance is of the utmost importance.
Keep in mind statutes of limitation, general
contracts and other legal concerns.
Tech firms will have to report
serious data breaches to regulators
within 72 hours.
3. Keep Your Eye on the Law. It’s vital to stay
on top of current and upcoming legislation for
your industry in particular and for organisa
tions in general. The European Union has
approved significant changes to data laws,
aimed at putting individuals back in charge of
their information. This represents the biggest
shake-up to privacy regulations in 20 years,
according to experts. Under this new litigation
(which comes into force in 2018), companies
could face could face fines of up to 4% of their
global annual turnover during the e-Discovery
process. Here are a few other ways this
litigation will change the way organisations
approach data privacy:
5 THINGS YOUR IT TEAM NEEDS TO
KNOW ABOUT DATA PRIVACY
JOHN WOOLLEY | Iron Mountain
Consumers’ right to be forgotten will be
extended beyond search engines to all
aspects of their web history. Example: a user
could request to have his or her Twitter
profile removed.
Consumers have the right to transfer their
data from one company to another. Example:
A consumer could request that all of his or her
data related to an online shopping purchase
be sent to him so that his personal prefer
ences can be used by a new preferred retailer.
5 THINGS YOUR IT TEAM NEEDS TO KNOW
9. 95 THINGS YOUR IT TEAM NEEDS TO KNOW
Companies that handle significant amounts
of data will have to employ a data protection
officer.
Stewart Room, head of data privacy at PwC,
explains: “The scale and breadth of the EU’s
changes to privacy rules will deliver unprece
dented challenges for business and every
entity that holds of uses European personal
data both inside and outside the EU” — BBC
4. Reconsider what information needs to be
kept and how. Some information needs to be
kept online, while other information can be
archived for long-term storage. Keep a
redacted, easily accessible copy online with
enough to affirm business requirements,
while also reducing the exposure to
customers/employees. This will ensure that
you aren’t as heavily affected in a breach (and
that your customers and employees are
protected). This about how this is traded off
against latency of recovery for a fully pop
ulated offline copy. If you’re worried about
managing the archival information located on
tapes because you don’t have the resources
internally and/or want to focus on core
business, consider partnering with a vendor
that can provide a managed tape service.
5. Keep Employees and Customers Top of
Mind. Know how much personal information
your organisation is keeping on its employees
and customers and the existing practices
around this data. Build up your organisation’s
passwords and firewalls, and educate both
groups about following data privacy best prac
tices. You’ll also want to reach out to senior
leadership to get them on board with your
data privacy policy and keep them in the know.
10. 10
I have a strong opinion around why organisations
continue to store so much unstructured data. Many
IT professionals simply do not have the time to wade
through best practises for retention, nor are they given
a solid steer by the business itself—unless there has
been significant investment in a compliance team.
Danger arises when a lack of policies means a default
decision to keep all data forever. In this case, storage
and backup solutions become a major financial burden
to an organisation.
How do you begin to define your retention policies?
Follow these five steps:
1. Establish global baseline retention
policies. Begin by establishing a baseline
(or minimum) retention. If you are a multi-
national, you’ll need to understand potential
worldwide applicability for certain types of
records. Your policy should provide flexibility
for different countries to exercise their discre
tion to lengthen or extend these baseline
retention periods, based on valid legal or
business needs.
2. Access accounting and tax records.
Governments impose a legal requirement to
protect their ability to collect taxes. To do this,
they must have access to accounting records
to scrutinise during tax audits. Because of this,
accounting and tax records are the biggest
target for records retention.
Virtually every country has enacted laws that
mandate the retention of ledgers, journals and
other books of account, as well as additional
supporting documentation such as vouchers,
balance sheets, records of goods bought and
sold and inventories of stock. These retention
requirements are found in the commercial
codes of country laws and/or in the tax codes.
Typically the retention period is five to 10 years;
however, this is not applicable to all systems
and data that pertains to accounting records,
structured or not.
Finally, bear in mind that I’ve still to date to
meet an accounts department who will delete
data from a financial system. This is important
to remember when dealing with archives
derived from backup.
3. Understand the impact of general/
corporate legal documents. After accounting
records, general corporate/legal documents
are the most frequent target for retention laws.
Requirements for these documents typically
appear in the business corporation laws or
commercial codes of the countries in which
5 STEPS TO DEFINING YOUR
RETENTION POLICIES
JOHN WOOLLEY | Iron Mountain
P
OLICY TAX REC
ORDS
DOCUMEN
TS
LIMIT
ATIONS
FUNCTION
5 STEPS TO DEFINING YOUR RETENTION POLICIES
11. 11
organisations operate, and they usually apply
to all businesses domiciled within the country,
including units of foreign-owned, multinational
corporations.
Although they vary in coverage and specificity,
these laws typically mandate the retention of
records such as minute books, articles of
incorporation, shareholder registers, financial
statements, deeds and other documents
serving as evidence of the legal status and
ownership of the business.
Some countries have specific laws about record
retention, while others have more general
laws. The retention periods range from three
years to permanent; 10 years is the average.
The average retention period
is 10 years.
The intent here is to ensure the preservation
of records of closed businesses through the
period of receivership and payment of
creditors or other legal distribution of assets.
4. Follow statutes of limitations. Statutes of
limitations — or periods of prescription, as they
are called in civil law countries — are a major
factor in establishing retention periods for
business records. These laws are not require
ments to retain records; they simply specify
how long parties can sue or be sued concern
ing a certain matter.
Multinational companies have a major interest
in retaining such records, as they may be
needed to institute legal proceedings against
other parties or to defend themselves against
unwarranted claims brought by other parties.
These records may define and limit risk and
liability in terms of retention. The following
matters are most relevant to records retention:
General contracts:
Retention requirements range from one year
from discovery of breach in China to an
average of six years from the last date on
which action took place in the United Kingdom.
Taxation:
Retention requirements range from an
average of five years in Brazil and Germany
to 0 years, in cases where taxpayers fail to
file a return or file a false return for purposes
of evading taxes in Thailand.
Product liability:
Retention requirements range from 3 years
from the plaintiff ’s awareness of damage in
Finland to 30 years in cases where product
defects have been fraudulently concealed by
the seller in Germany.
Personal injury:
Retention requirements range from 3 years
from the date on which the cause of action
occurred in Ireland to as much as 20 years
following the event that caused the damage in
the Netherlands. Once the relevant laws have
been discovered, multinational records
managers should work with their legal counsel
to incorporate them into retention policies of
global coverage.
5 STEPS TO DEFINING YOUR RETENTION POLICIES