top of page
Search

GDPR: Deep Dive - Causes


Causes

At this point, a person could be overwhelmed and ready to throw their laptop. Chances are good that you are either overwhelmed with information or underwhelmed with the majority of organizations' seemingly ineffectual efforts at compliance. Depending upon the time of day and/or mood, you could be a little bit of both —and those feelings are all valid.


Organizational failures

The unfortunate reality is that most organizations attempting to operate in their traditional departments are not set up to be successful in today's business world. No matter the flood of tools, methodologies, solutions, and frameworks being marketed, without a core understanding of the underlying disconnect, all are doomed to varying levels of failure.


No, this is not doomsday speak, and I am not suggesting that anyone throw in the towel. Instead, this is another opportunity to paint a picture that we all know too well. Hopefully, in so doing, the Regulation and the violations experienced by these organizations will serve to illustrate that deeper need for change to mindsets and begin to connect those silos.


Is this intentional?

In a first pass of the previous posts, you may be imagining a cartoon villain, twirling his moustache, plotting the next sinister scheme for innocent users.


You might be at a loss as to how an organization can get something simple, so wrong, repeatedly. You may have read these posts and assumed that these organizations have a blatant disregard for data and user privacy policies and rights —and that may very well be true for some.


But in reality, does anyone truly believe that these companies have so much money and so little respect for their users that they are throwing caution to the wind and making no effort at all towards these safety and data privacy regulations?


Is it at all possible that they are trying everything that they have always done, but are now getting undesirable results, and they don't know what to do?


Can/should we assume best intent?



 






an organization can be pictured as a cartonone could believe one of two thinsg.It cannot be a coincidence that organizations violate the same Articles of the Regulation repeatedly. While this may be related to the Articles themselves, it can only help to review the usual suspects.


Some violations are easily tied to a single Article; many others are implied or derived from multiple Articles, increasing the difficulty for understanding and compliance. Still, there are some concepts with recurring issues.


Legitimate interest

As mentioned in the top fines from the previous post, "legitimate interest" was cited —and rejected —as grounds for processing personal data multiple times.


In the normal course of carrying out business activities, personal data may need to be processed. If those activities are not justified by a legal obligation or necessary to fulfil the terms of a contract, the processing of data in this context can still be conducted on the "grounds of legitimate interest."


A common practice is to use this term as a "catch all" categorization, without taking the time to perform due diligence and determine if this processing is necessary. The fact that a process has always been conducted a certain way does not "legitimize" it; GDPR requires a review and ensuing documentation to ascertain legitimacy.


The effort to conduct these evaluations is labor-intensive and review of data at this level is often not prioritized. In many cases, the organization is unaware that the examination was the actual intent of the Regulation. This lack of inspection —and supporting evidence created —is a violation that results in fines.


Subsequently, if an organization has examined the process and deemed it legitimate, it is still not free from informing individuals of the data processing in question; it must. Even further, a final step is needed to ensure that the rights of the individuals are not impacted by the process. If it is determined that that they are, even if the process had been considered legitimate, the justification cannot be used. The company will have to find another legal basis for the activity or an alternative method to conduct its activities.



Cookies

Many of the Top 25 refer to violations involving "cookie consent." This is primarily because cookies are used most frequently in tracking online activity —and thus targeting users. To somewhat complicate understanding, regulations governing cookies themselves are split between the GDPR and the ePrivacy Directive.


Cookies alone are harmless and are essential to crucial functions for websites. In the full 88 pages of the GDPR, there is only a single mention of cookies directly, in Recital 30. The beauty —and downfall —is the wealth of data that can potentially be stored. When the data contained is enough to identify an individual, the "cookie" becomes "personal data," and subject to GDPR as such.


GDPR.eu provides guidance specifically related to this issue: Cookies, the GDPR and the ePrivacy Directive.


Given that, in the violations involving "cookie consent," what is truly at stake is the consent to process personal data.


Consent

Consent itself is the most abused topic, perhaps because it is a concept defined through a combination of the following Articles:

  • Article 4 - Definitions

  • Article 6 - Lawfulness of processing

  • Article 7 - Conditions for consent

  • Article 8 - Conditions applicable to child's consent in relation to information society services

  • Article 9 - Processing of special categories of personal data

  • Article 13 - Information to be provided where personal data are collected from the data subject

  • Article 14 - Information to be provided where personal data have not been obtained from the data subject

  • Article 17 - Right to erasure ("right to be forgotten")

  • Article 18 - Right to restriction of processing

  • Article 20 - Right to data portability

  • Article 22 - Automated individual decision-making, including profiling

  • Article 40 - Codes of conduct

  • Article 49 - Derogations for specific situations

  • Article 83 - General conditions for imposing administrative fines

  • Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

It is noteworthy that the term "consist" does not only include acceptance; it also encompasses refusal of consent, revocation of consent, auditing and modification of records related to consent of any kind, access and ownership by the individual of all traces, the clear communication of context and term related to making a decision as to consent, and the manner in which any version of consent is requested or remediated, as well as a timely response to all.


It is deceptive to simplify the breadth and scope of this topic's rules with only the word "consent."


Privacy policy

Company privacy policies were another of the frequent contentions. A privacy notice is a public document from an organization that explains how that organization processes personal data and applies data protection principles. (While the terms "privacy notice" and "privacy policy" are not used in the text of the GDPR, they are implied and considered interchangeable.)


Detailed information describing how to create a privacy notice, as well as emphasis on ease of understanding and accessibility, is available in Articles 12, 13, and 14. Perhaps more helpful in practice, though, is guidance provided by GDPR.eu, with step-by-step explanations for creating your own GDPR-compliant privacy notice, complete with a downloadable template. (The site's own Privacy Policy can be reviewed as well.)


For clarity, the titles of the referenced Articles in the Regulation are:

  • Article 12 - Transparent information, communication, and modalities for the exercise of the rights of the data subject

  • Article 13 - Information to be provided where personal data are collected from the data subject

  • Article 14 - Information to be provided where personal data have not been obtained from the data subject


Other

While included in the prior list related to consent, Articles 6, 13, 14, 17, and 22, are referenced individually and capable of standing alone as violations. They are titled as follows:

  • Article 6 - Lawfulness of processing

  • Article 13 - Information to be provided where personal data are collected from the data subject

  • Article 14 - Information to be provided where personal data have not been obtained from the data subject

  • Article 17 - Right to erasure ("right to be forgotten")

  • Article 22 - Automated individual decision-making, including profiling

Not included in the list for consent, Articles 5 and 47 are also referenced alone and titled:

  • Article 5 - Principles related to processing of personal data

  • Article 47 - Binding corporate rules

 
 
 

Comentarios

Post: Blog2_Post
bottom of page