Thursday, January 26, 2017

GDPR Compliance ... SHOWTIME!

Today, this elephant looks hypothetically a year ahead to the Spring of 2018.

Pretend it's now just weeks until 25May2018, the kickoff day for full GDPR enforcement. Assume that your enterprise actively captures personal data from EU data subjects, and as such is fully GDPR-exposed.  Depending on your enterprise's  appetite for risk of regulatory sanctions, it's now time to be GDPR-compliant.  It's SHOWTIME!

As that big date looms, one might wonder "Who will be the judge of whether or not my enterprise  is compliant?"  And how and why would my enterprise be singled out from thousands of others "in the same boat" with respect to full compliance? Who would take the time to pore through the data studies, impact assessments, gap analyses, etc. that my team has conducted over the past many months?  Who would question our accountability?  Who would complain?

An answer to those questions is chillingly simple,  To sample your dedication to compliance, all anyone will need to do is visit any of your public-facing websites or mobile apps where you touch personal data and look at how you manage consent dialogues with your data subject.   In all cases, do you:

1.  Gather affirmative, explicit consent (Articles 5,6,7,13 & 14)?
2.  Provide explicit and transparent pre-consent notice (Articles 12,13,14, & 22)?
3.  Present and manage data subject's individual rights (Articles 12-22)?

It will take just a LOOK to assess and document your enthusiasm for compliance.  Truly, SHOWTIME ... out there for all to see.

Returning now to the present: The drafters of the GDPR have seen the protection of EU citizens' personal data as a fundamental right (Recital 1, sentence 1). The spirit of the regulation embraces protecting consumers by building a fair, safe, and trusted notice/consent dialogue around the passing and processing of personal data.  Exhibiting that positive spirit at SHOWTIME will speak volumes to those would could/would judge your dedication to GDPR compliance.

Privacy-by-designing and building a compliant notice/consent dialogue is not a trivial exercise, yet the GDPR itself suggests a variety of solutions. Click here to learn more about what is required, and here to learn more about tools and resources now available for help.

Dale Smith, CIPT

Wednesday, December 28, 2016

2017: Beginning of the end for "Post & Hope"

by Dale Smith, CIPT

Privacy Policies. Today, the Elephant remembers privacy policies.

A large majority of today's data-gathering institutions comply with various governmental privacy regulations dating back to the 1970s by posting a formal privacy policy. Typically, this post takes the form of a lengthy, comprehensive, high-level, legally oriented document which states how the institution manages consumers' private information as it is gathered, used, and stored.

Such a "boiler plate" policy is further characterized by the general absence of any facility for consumers' real time interaction for questions or clarifications. It's a one-way street ... the sound of one hand clapping. This Elephant calls it a "Post and Hope" format.

Hope for what? In the best case, the hope is that the consumer will be well served by reading the document's content and make a well-informed decision on giving up requested PII. In a less-commendable case, it could be the hope that the consumer is obfuscated by the document's defensive complexity, gives up on any due diligence, and blindly ticks the "I Agree" box in frustration.

Even in the best cases, this operational disconnect cries out for improvement, yet privacy pros have dithered over a solution for many years. How could the notice/consent process better protect the consumer, while fairly respecting the institution's value proposition? Could institutions build digital trust with consumers as a by-product of gathering their personal information?

In my opinion, the drafters of the European Union's General Data Protection Regulation (GDPR) have successfully addressed this issue by redefining the notice standard for the compliant gathering of consent. Simply put, GDPR-compliant consent is gathered as part of a bilateral exchange between institution and consumer. It's a two-way street ... the sound of both hands clapping.

As the clock ticks toward 25May2018 (enforcement start day for GDPR), PrivacyCheq PID solutions facilitate the transition from "Post and Hope" to GDPR-compliant informed consent. A remote demo is available, with more to come.

Friday, December 9, 2016

IoT Privacy Podcast

In this episode of the IoT Business Show, Bruce Sinclair speaks with Dale Smith about the top 5 best practices in handling personally identifiable information (PII) and other IoT privacy issues.

Listen to the Podcast here