ACP Chapter Meeting June 2018
What we need to know about the GDPR,
the new Data Protection Initiative from the European Union
Many US companies have been preparing for a very large change in privacy regulations initiated by the European Union, and the June meeting of ACP brought valuable information about those upcoming changes to our members. Through a highly informative presentation by Jennifer Kurtz* of Manufacturers Edge, the group learned the basics of the new regulations and gained an understanding of the impact to our DRBC responsibilities and our companies’ practices.
What is the GDPR, and who should care about it?
Known as the General Data Protection Regulation, the GDPR is an expansion of the 1995 European Union Data Protection Initiative. Finalized in 2016, the deadline for compliance with GDPR was May 25, 2018.
The GDPR addresses the rights and practices of different communities of data users that act with and within the European Union: data subjects (e.g., individuals whose characteristics or behaviors are being monitored), data controllers (those who possess sensitive data pertaining to data subjects, e.g., online retailer), and data processors (those who work on behalf of the data controller, e.g., email automation service).
What are the underlying principles of the GDRP?
How do EU privacy expectations and practices differ from those in the US?
What is the GDPR, and who should care about it?
Known as the General Data Protection Regulation, the GDPR is an expansion of the 1995 European Union Data Protection Initiative. Finalized in 2016, the deadline for compliance with GDPR was May 25, 2018.
The GDPR addresses the rights and practices of different communities of data users that act with and within the European Union: data subjects (e.g., individuals whose characteristics or behaviors are being monitored), data controllers (those who possess sensitive data pertaining to data subjects, e.g., online retailer), and data processors (those who work on behalf of the data controller, e.g., email automation service).
What are the underlying principles of the GDRP?
- Fairness
- Lawfulness
- Transparency
- Consistent purpose
- Data minimization
- Accuracy
- Time limitation
- Integrity
- Confidentiality
- Accountability
How do EU privacy expectations and practices differ from those in the US?
|
USA
|
EUROPE
|
|
Underlying philosophy: right of expression; right to inform; right to privacy/right to be left alone (Louis Brandeis, 1890)
|
Underlying philosophy: right to be forgotten; right to erasure (essentially, right to delisting or delinking)
|
|
No uniform nationwide standard
|
EU minimum standard
|
|
50 different approaches (AL enacted data breach notification law 4 April 2018)
|
Possibility of country-by-country “add-ons”
|
|
Indefinite purpose/unlimited retention
|
Specific purpose/limited retention
|
|
Vermont: most aligned with GDPR as of early June with law passed requiring data brokers to register with the state, take standard security measures, and notify authorities of security breaches. Consumer rights to legal action if personal data used to discriminate.
|
Article 8 of the European Convention of Human Rights (ECHR) clearly specifies that “everyone has the right to respect for his private and family life, his home and his correspondence.”
|
|
California: proposed California Consumer Privacy Act of 2018 would include GDPR-like consent option and redress for breaches
|
*Jennifer Kurtz works with Manufacturer’s Edge clients to protect their information assets and achieve compliance with security standards like ISO 27001 and NIST 800-171. Since 2011, Jennifer has promoted the success of hundreds of small businesses through work with the Denver Metro and Pikes Peak SBDCs, and co-led the Leading Edge for Transportation / Construction Industry and the Growth Catalyst Business Coaching programs. She has developed and taught graduate courses in cybersecurity and project management at Regis University since 2011; authored Hacking Wireless Access Points: Cracking, Tracking, and Signal Jacking (2016) and a chapter of The Data Breach and Encryption Handbook (2011); written numerous articles on cybersecurity, economic development, and eGovernment; and designed online cybersecurity courses for small businesses and individuals. Before moving to Colorado, Jennifer was IT manager for an international automotive manufacturer, project manager for the Indiana manufacturing extension partnership, affiliate faculty at Ball State University, and award-winning director of ecommerce for the State of Indiana. She holds an MBA and a PMP certification.