Warning: A non-numeric value encountered in /home/dataologie/public_html/wp-content/plugins/backwpup/vendor/phpseclib/phpseclib/phpseclib/bootstrap.php on line 10
DataOlogie | When Data Matters | Data Protection | Data Management https://dataologie.com Tue, 09 Nov 2021 23:12:45 +0000 en-US hourly 1 https://dataologie.com/wp-content/uploads/2021/08/cropped-DATAOLOGIE_LOGO-08-f-t-32x32.png DataOlogie | When Data Matters | Data Protection | Data Management https://dataologie.com 32 32 SCCs – International Transfers https://dataologie.com/sccs-international-transfers/ https://dataologie.com/sccs-international-transfers/#respond Tue, 09 Nov 2021 23:12:45 +0000 https://dataologie.com/?p=1988     What is the new SCC? Organizations subject to the EU GDPR are subject to Article 45 EU-DSGVO (with the exception of Article 45 EU-DSGVO (that is, unless they provide an “appropriate guarantee” within the meaning of Article 46 EU-DSGVO (with the exception). There is no decision on the validity of the European Commission (unless […]

The post SCCs – International Transfers appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
 

 

What is the new SCC?

Organizations subject to the EU GDPR are subject to Article 45 EU-DSGVO (with the exception of Article 45 EU-DSGVO (that is, unless they provide an “appropriate guarantee” within the meaning of Article 46 EU-DSGVO (with the exception). There is no decision on the validity of the European Commission (unless applicable). The SCC adopted by the European Commission is the most widely used “reasonable safeguard” today.

 

The SCC imposes contractual data protection obligations on non-EEA organizations, and (ii) if any data subject fails to comply with these contractual data protection obligations, they will be in breach of contract in Europe. You can sue non-EEA organizations.

 

When will the old SCC be replaced?

 

European Commission decisions 2001/497 / EC and 2004/915 / EC (relationships between managers) and decisions 2010/87 / EU (relationships between managers and processors) caused earlier SCCs to be 9 It will be officially cancelledon the 27th of March. 2021. It cannot be included in data transfer agreements entered into after September 27, 2021.

 

Data transfer agreements, including previous SCCs entered into before September 27, 2021, remain unchanged in the processing operations covered by the agreement, and due to their reliance on these terms, transfer data for personal data. Is subject to reasonable safeguards. These need to be changed by December 27, 2022 and replaced with the new SCC.

 

Who can use the new SCC?

 

The new SCC works in different types of relationships.

 

  • EEA relationship for controllers not EEA related (previously used by SCC under decision 2001/497 / EC modified by decision 2004/915 / EC version);

 

  • EEA controller and non-EEA controller EEA processor relationship (previously handled by SCC under decision 2010/87 / EU);

 

  • Processor-Non-EEA-Sub processor relationship (this was not previously dealt with by the SCC under Decision 2010/87 / EU, so it could only be signed by a processor with attorney’s authority from the controller);

 

  • Relationship between EEA processors and non-EEA controllers (previously not addressed by SCC).

 

What are the new features of these SCCs?

 

The new SCC imposes even more obligations on non-EEA administrators and processors, especially with respect toinformation to data subjects, reporting of personal data breaches, and transfer outside the EEA. Data importers ensure that third-country laws and customs at their destination do not prevent data importers from fulfilling their SCC-based obligations, including requirements for disclosure of personal data and measures that allow access by authorities. Requests evaluation and declaration. .. It also includes a “docking clause” that allows additional parties to participate.

 

Are they also relevant under the UK GDPR?

The new SCC will not function within the meaning of Article 46 of the UK GDPR (that is, the EU GDPR contained in UK law under the European Union (Withdrawal) Act 2018). The previous SCC should continue to be used by companies subject to the UK GDPR. The UK Data Protection Authority (ICO) confirmed at the 2021 Data Protection Working-level Conference that it is working on a new SCC specific to the UK.

 

What should organizations do next?

Organizations subject to EUGDPR and / or UKGDPR will (i) update the data protection attachment template with the new SCC, add the new SCC by September 27, 2021 at the latest, and (ii) implement the amendments. You should consider doing. Contracts containing new SCCs related to existing data transfer contracts by December 27, 2022 at the latest. Aservice provider, partner …) who has or is about to enter into a data transfer agreement.

 

To comply with the General Data Protection Regulation (“GDPR”), organizations must map and validate international data transfers and their corresponding transfer mechanisms so that the corresponding changes can be made in a timely manner.

 

Compliance, Schemes II, new SCCs and the most important changes:

 

Using standard contractual clauses does not automatically make an international data transfer compliant with the GDPR. The parties must adequately assess and document any international data transfer and must address the corresponding risks and take supplementary measures to the extent required. Schemes II and the European Data Protection Board’s (“EDPB”) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”) and Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Essential Guarantees”) provide relevant criteria in that regard.

 

The impact of Schemes II on international data transfers has been taken into consideration in the new SCCs, together with the need to align the former SCCs with the GDPR and bring them up to date with developments in the digital economy. The new SCCs provide a framework to structure what are termed ‘transfer impact assessments’ (“TIA”), and they shed light on parties’ obligations to conduct such a TIA.

 

The most important changes in the new SCCs are:

 

  • Broadened scope: The new SCCs supplement the existing controller-to-controller (“C2C”) and controller-to-processor (“C2P”) modules with processor-to-processor (“P2P”) and processor-to-controller (“P2C”) modules.

 

  • GDPR alignment: The new SCCS closely align with the terminology and provisions of the GDPR and have incorporated the requirements of Article 28 GDPR into the C2P and P2P modules.

 

  • Docking clause: The new SCCs facilitate multi-party configurations by allowing new parties to accede to the international data transfer agreement between the existing parties throughout the lifecycle of the agreement.

 

  • Transfer impact assessment: The new SCCs specify the requirement to conduct a transfer impact assessment. Data exporters and data importers need to assess whether the laws and practices of the third country pose a barrier to the data importer’s compliance with the new SCCs. The new SCCs list certain matters that need to be taken into account in that regard, ranging from the circumstances of the transfer to the nature of the parties and personal data involved, and from the laws and practices of the third country of destination to the existence of any supplementary measures. The EDPB’s Recommendations and the Essential Guarantees provide additional guidance on these aspects of the assessment.

 

  • Active accountability: The new SCCs make clear that data exporters and data importers need to be able to demonstrate compliance with the new SCCs from the outset and on an ongoing basis. The new SCCs lay down the responsibilities and obligations for the data exporter and data importer; for example, the data importer’s obligations to perform a legality review and its notification and documentation obligations when it receives a legally binding request to access personal data from competent authorities.

 

  • Explicit data subject rights: The new SCCs now explicitly mention that, upon request, data subjects must be provided with a copy or a meaningful summary of the international data transfer agreement. In addition, they need to be notified in the event of a high-risk data breach as well as of any access request by competent authorities (if permitted).

 

Actions to be taken to the extent not already done, it is recommended that organizations ensure that:

 

  • they review and map their data transfers and the corresponding transfer mechanisms;
  • from 27 September 2021, any new international data transfer agreement incorporates the new SCCs;
  • any alteration of an existing international data transfer agreement prior to 27 December 2022 needs to include replacing the former SCCs with the new SCCs;
  • counterparties to existing international data transfer agreements are informed that the former SCCs will need to be replaced by the new SCCs no later than 27 December 2022;
  • they collect the information necessary to complete any documentation, such as choosing the appropriate new SCCs module and relevant options within this module, etc.;
  • they conduct and document a TIA for every international data transfer to ascertain that data importers can actually fulfil the obligations in the new SCCs; and

they familiarise themselves with their obligations under the new SCCs and set up procedures to ensure that these can be satisfied, including periodic compliance reviews.

The post SCCs – International Transfers appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
https://dataologie.com/sccs-international-transfers/feed/ 0
GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR https://dataologie.com/gdpr-and-how-saas-software-as-a-service-businesses-can-become-compliant-with-the-gdpr/ https://dataologie.com/gdpr-and-how-saas-software-as-a-service-businesses-can-become-compliant-with-the-gdpr/#respond Thu, 28 Oct 2021 17:44:35 +0000 https://dataologie.com/?p=1973 GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR On May 25, 2018, the European Union introduced the General Data Protection Regulation (GDPR) to ensure maximum data protection privileges for people across the European Union. Since then, GDPR has completely revolutionized data and the way it is handled, processed, […]

The post GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR

On May 25, 2018, the European Union introduced the General Data Protection Regulation (GDPR) to ensure maximum data protection privileges for people across the European Union. Since then, GDPR has completely revolutionized data and the way it is handled, processed, and subsequently stored. GDPR encompasses industries of diverse domains and categories including the software segment. This also means that Software as a Service (SaaS) businesses need to adhere to the applicable GDPR restrictions.

But what exactly are the GDPR restrictions? How exactly do businesses achieve greater compliance with it? We will address these questions and more in the following few sections.

How Do You Make Your SaaS Business GDPR Compliant?

Now that you are aware of the preconditions, you might be wondering how to make your business GDPR compliant. Here are some more pointers to help you out.

Assign a DPO

SaaS businesses thrive on the processing of personal data and because of this you especially need a Data Protection Officer, who will ensure that your data and information is properly and effectively handled. They will also get your DPO registered with all local data protection agencies. In addition, they will also help businesses owners maintain a separate internal record that contains all information relating to the customer data processing required in their business.

Currently, companies are required to have a dedicated Data Protection officer if they qualify as a public authority, and if they monitor and/or process huge volumes of customer data.

Even though any employee of the organization can be assigned DPO, they still need to go through some initial vetting.

Implement a Cookie Policy and Update the Cookie Banner

To be a GDPR compliant SaaS business you need a detailed cookie policy that lists all existing active cookies on your web platform and their specific roles. You can either devise a strategy for this or utilize any existing automated app for the task.

In addition to implementing a proper cookie policy, you should also make sure the cookie banner on your website is updated. For the uninitiated, this is the pop-up that comes up every time you visit a website for the first time. It is designed to intimate the user about your company’s cookie policy. Make sure your website has an updated banner that the user can access and interact with.

Update Your Privacy Policy

Many SaaS businesses struggle to get GDPR compliance because their privacy policy is dated. To avoid this make sure your company’s Privacy Policy lists the kind of data you collect, how and why you collect the said data, and how long the data is stored on your portal. A current and updated privacy policy will also contain information relating to user rights and data sharing with third parties.

Maintain and Organize All Existing Data Flows

Every SaaS company has multiple data processing flows. However, to be GDPR compliant, you need to maintain and organize these flows. While the task may seem tedious, it is fairly simple and should only contain the following details:

  • Current and updated names of all divisions and sub-divisions in your organization
  • The type of customer/personal data that is handled by every division
  • The way the aforementioned data is processed
  • The individuals responsible for monitoring these processes

When you have the required information, curate them, and save them in a larger repository.

Compliance with additional vendors

If you are working or collaborating with third-party vendors, consult them to check their compliance with GDPR. In case the vendor isn’t GDPR compliant, you need to ensure that they achieve the same. In case the party you are working and collaborating with exhibits no genuine interest in collaborating with third parties, then as a SaaS business, you need to re-consider your prospect of working with the party. Ideally, you should not just ensure that your business is GDPR compliant, but also make sure that all third-party vendors you are collaborating or interacting with have the same compliance.

Data Processing Agreements

If you are a professional who performs data processing, you would need to sign specific agreements relating to data processing controllers. For the uninitiated, this is a legal contract entailing the specific roles and requirements of every individual client. In addition, it also needs to feature a descriptive SOP relating to the data safety standards one needs to ensure while the data is processed. Keeping these agreements in place will not just help improve GDPR compliance but will also help improve compliance with any third party you are working and interacting with.

Make sure all your third-party vendors and subsidiaries carry these data processing agreements. Additionally, your SaaS business should carry the same.

Technical Safety

In this day and age, cybersecurity attacks, breaches of data, and misappropriation of personal information are extremely common. Even the minutest error in judgment can lead to major and damaging repercussions. The solution? Secure your business and implement the highest standards of security for it.

Remember, upholding the security of your personal data isn’t just limited to the regulatory realm. When it comes to business, this practice is equally crucial. When you follow the appropriate practices for information security, your customers too have peace of mind knowing that their information and data are completely safe. As a SaaS business owner, many naturally assume that they already have the required safety standards because they are certified by ISO and also GDPR compliant. However, you should never take data security lightly and ensure stringent data protection standards for every type of customer information.

Organizational Safety

In addition to technical safety, you should also root and strive for organizational safety. This can be achieved by familiarizing all your employees with the preconditions of GDPR compliance. Share SOPs relating to the subject and make sure it reaches every silo of organization. You can also work on organizational training to drive more awareness on the subject.

So What’s the Gist?

Typically, to be a GDPR compliant SaaS business, you need to meet the following preconditions:

  • Do not collect excessive information, keep your requirements short, and share customer data only with required parties
  • If you are collecting user data, make sure you are fully transparent about the same. Explain what the data is needed for and adhere to your specified guidelines
  • Enable your customers to pick the data they are looking to share, retrieve the data, and modify it as and when needed. They should also have the flexibility for the permanent deletion of data.
  • Make sure the customer information is safe and during the event of a data breach, intimate the authorities immediately

Because the mentioned requirements are fairly simple, it should be easy for any existing SaaS business to adhere to them. If you respect your user and their data privacy, you will want to ensure the above guidelines while processing and handling customer data.

For others, the EU has also come up with an extra incentive. In case you fail to adhere to the guidelines, you are likely to face a fine of 20 million Euros. Alternatively, you might be fined 4% of your global profits if it is higher than the mentioned sum.

Bottom Line

If you process customer data or handle it in some way, it is crucial to ensure and adhere to GDPR compliance. Remember, because SaaS is still a growing domain, its relation with GDPR is only complicated. You’re probably familiar with Google’s failure to adhere to these restrictions that resulted in a $55 million lawsuit.

In case you do not want to face the same plight or financial issues, it is important to follow the right steps so that your business is fully compliant with the regulations and guidelines entailed in the GDPR. Since we have already listed the important bits, we are certain you will have an easier time navigating through GDPR compliance.

Want more information on GDPR compliance for your SaaS? See more on our website.

The post GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
https://dataologie.com/gdpr-and-how-saas-software-as-a-service-businesses-can-become-compliant-with-the-gdpr/feed/ 0
Data in Sports https://dataologie.com/data-in-sports/ https://dataologie.com/data-in-sports/#respond Wed, 27 Oct 2021 16:50:56 +0000 https://dataologie.com/?p=1943 Data in sports   Data analytics in sports was first popularized by the efforts of Billy Beane during his reign as General manager of the Oaklands Athletics baseball team (also portrayed in the commercial film Moneyball). However, it’s a common practice now for sporting and athletic organizations today to monitor the performance of their athletes. […]

The post Data in Sports appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
Data in sports

 

Data analytics in sports was first popularized by the efforts of Billy Beane during his reign as General manager of the Oaklands Athletics baseball team (also portrayed in the commercial film Moneyball). However, it’s a common practice now for sporting and athletic organizations today to monitor the performance of their athletes. This could involve collecting data such as information about a player’s speed, or how many times the individual passed the ball. In addition, data is being collected from the players during their training sessions and actual matches to better gauge the performances of the players and to determine methods of improving them.

 

Furthermore, football clubs themselves have been actively covering advanced and detailed medical data such as cardiovascular metrics, body composition, distance covered, respiratory patterns in a game and medical history to assess the physical and athletic conditions of the players.

 

However, the lawsuit has taken cognizance of the potentially illegal processing of data by betting companies, fantasy sport companies who utilize the information to predict the performances of players and to determine the odds in a game or over a specific player’s performance.

 

Sports data and GDPR

 

The data collected by these organizations could ostensibly fall within the definition of “personal data” in the GDPR. Some of these statistics may also fall within the definition of “data concerning health” – meaning that they constitute “special categories of personal data” under GDPR, and therefore qualify for extra protections. There are a wide range of entities who are potentially processing this personal data including football clubs, data processing, betting companies, fantasy sports providers and video game developers. Accordingly, the following issues would be of importance when the lawsuit is potentially brought up for trial:

 

Lack of transparency and fairness: The GDPR requires that the data be processed in a “fair and transparent” manner. If these data processing entities have not clearly informed these footballers how they are using their data, this might be evidence of a lack of transparency and fairness. The strength of such a claim would depend on the factual circumstances basis the entities who are engaging in the processing of data and their privacy agreements with such players.

 

Legal processing ground: The GDPR requires that the data be processed with a lawful processing ground. The players could argue the correct processing ground should be consent, which must be obtained before organizations can utilize their data.

 

Processing of Sensitive Data: The GDPR has provided additional protection to individuals whose sensitive data is being processed by any entity. While it may be argued that a large percentage of these statistics are available easily due to the broadcast of the games, medical data, such as energy expenditure or cardiovascular metrics may be considered private to the individual.

 

Consent: The GDPR has delineated the conditions for a consent to be valid. While it may be argued by the organizations that the player’s consent had been acquired at the stage of the contract signing, it could be an obstacle to demonstrate that the request for consent had been presented in a manner which was clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

 

Profiling: The GDPR protects the rights of the profiling data subjects and provides them the right to not be subject of such profiling. Betting companies and fantasy sport entities engage in creation of complete player profiles on which they base their services and products.  Moreover, the medical data of the players also form a vital part of such player profiles and would require the express consent of the players for processing. The players can allege that their data profiles have been developed without their consent and seek erasure of the same under GDPR.

 

 Legal protection of image rights in the UK

Image rights are particularly complex under English law. There is no codified or consolidated legislation that protects image rights as such. Instead, sports stars need to rely on a patchwork of laws including intellectual property rights, passing off, privacy laws, defamation and advertising regulations to prevent authorised exploitation of their image.

Passing off

This is perhaps the cause of action in the UK which is closest to an image right and indeed one of the leading cases in the area is sports related; Formula 1 driver Eddie Irvine’s claim against Talksport Radio. It is generally considered the most obvious means of enforcing the image right of a sports star because its three constituent elements appear well suited to the types of scenarios in which sports stars will be wanting to take action. It first requires a goodwill, which when you are dealing with famous sports stars can often seem like a given. Next it requires a misrepresentation, which again can appear obvious when a sports star’s name or likeness has been used to imply their connection to a certain product or service which does not reflect reality. Finally, it requires some damage to have been caused. All sports stars today are acutely aware of the value of their sponsorship and merchandising deals and would immediately point to any situation which could jeopardise their position under those deals as clearly causing them damage.

However, the situation is not as clear cut as it would first appear. The UK courts have been very reluctant to provide sports stars with broad rights merely because they have a high degree of recognition amongst the public. First, being famous does not necessarily equate to having a goodwill, which refers specifically to the power of attraction generated by some business. Sports stars will need to show that they are regularly in the business of commanding fees for product endorsements before a court will agree that a goodwill exists in their name or image. Second, the alleged infringement must involve a genuine deception. Unless consumers are actually likely to believe that the sports star is associated with or has authorised the alleged harm then a court is unlikely to accept that an actionable misrepresentation has occurred. So the evidence required to succeed in a passing off claim often makes such a claim untenable.

Trade marks

Registered trade mark protection is one of the few registered rights which sports stars can obtain to seek to protect their name, nickname or any logos associated with them. For example, Cristiano Ronaldo owns “CR7” and Roger Federer has his “RF” logo. David Beckham owns a huge range of registered trademarks including even SMOKEY BECKHAM (which was assigned to him following a dispute with a businessman who tried to trade mark the name). There was also the famous example of trade mark registrations for Jose Mourinho’s name holding up negotiations regarding him becoming Manchester United manager as the marks were still owned by his former club, Chelsea.

Registered trade mark protection has its benefits; if a third party uses the owner’s identical name on identical goods/services for which the trade mark is registered, the owner does not need to prove that consumers would actually be confused or that the third parties use would take advantage of the owner’s reputation. However, they also have their limits. First, registries are reluctant to accept trade mark applications from sports stars in respect of goods which would simply bear the person’s image rather than designate the origin of the goods. For example, Alex Ferguson failed to secure registrations for his name in relation to goods such as posters, photographs, transfers and stickers for this reason. Ultimately, trade mark registrations are a limited tool which can be used only in quite specific circumstances.

Copyright / Performer’s rights

Copyright is of narrow use in protecting image rights since no intrinsic copyright exists in an individual (e.g. their face or name). The copyright in any photograph of a sports star would belong, in the first instance, to the photographer. However, if the sports star acquires the copyright in any works (such as photographs, drawings, films) of them, then they could exploit those specific works by licensing them to third parties. Performers’ rights, whereby an individual can control the dissemination or exploitation of their performances are not relevant because a “performance” for the purposes of the legislation is a dramatic or musical performance, or a reading or recitation of a literary work, which is a live performance. It would not include, for example, a player’s performance on a football pitch (even though some performances may seem like they could be classed as ‘dramatic’!) although these rights may arise in other sports that are more akin to dance, such as ice dancing or gymnastics floor.

Privacy / Breach of Confidence

Celebrities have successfully relied on the law of privacy to protect commercial image rights in the past (the most famous example being that of Douglas v Hello! which involved unauthorised photographs taken for Hello! Magazine at the wedding of Catherine Zeta-Jones and Michael Douglas). This case led to the recognition of the right to sell private information for profit in order to protect those who have entered into exclusive arrangements regarding the publication of information that would otherwise be considered confidential. However, it was key to that case that considerable control was exercised over the images (and the attendees at the wedding) such that an obligation of confidentiality was created. It is likely that this would apply to photographs taken of sports stars only in very specific circumstances, such as where those photographs were taken at a private event.

Data Protection

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 impose broad obligations on those who collect and process personal information, the key obligation being to process personal data “lawfully”. It also grants significant rights to individuals in respect of an organisation’s processing of their personal data, including rights in certain circumstances to access what data is being processed about them, to object to the processing and to obtain erasure of their personal data. Sports stars seeking to protect their image may therefore be able to rely on these rights to prevent the unauthorised publication of photographs or film bearing their image.

However, obtaining an individual’s consent is not the only way for commercial parties to process that individual’s personal data “lawfully”. The primary argument that a publisher of an image of a sports star would raise in response to any objection from the individual that they had not consented to the use would be that there is a “legitimate interest” for the publisher’s actions.  This is the most flexible basis on which to justify the processing of personal data about an individual, but it is not always appropriate to rely on it (and it also has not yet been tested in any detail by the courts). In order to rely on this condition for lawful processing, a commercial party must balance its (or a third party’s) interests against the player’s rights, interests and freedoms, including the likelihood of the publication to cause unjustified harm. However, one key consideration is whether the individual could reasonably expect their image to be published. In the case of a sports star, who more than most should be aware that their image taken in their professional capacity is likely to be published extensively in multiple different contexts, an objection on data protection grounds may be more difficult.

Defamation / Malicious Falsehood

If the name or image of a sports star were used without their permission in a manner which is inaccurate and potentially harmful to their reputation, they could consider a claim for defamation or malicious falsehood. However, although a sports star might consider that the use of their name or likeness to endorse a certain product harms their reputation in the opinion of the public, the bar for an actionable claim is set high. Firstly, there must be the publication of a statement or allegation that is false and defamatory, which is not straight forward in false endorsement cases. Secondly, the Defamation Act 2013 introduced a requirement that a statement must have caused, or be likely to cause, serious harm to the individual’s reputation for it to be classified as defamatory. This condition means that the circumstances in which a sports star could bring a defamation claim in relation to the use of their name or image to promote a product are likely to be rare. As for a malicious falsehood claim, although “serious harm” is not required, evidence of “malice” is. That typically requires that the defendant knew that the relevant statements were false, was reckless as to their truth or falsity when publishing them or, even though the defendant believed the statements to be true, their dominant motive in publishing the statements was to injure the claimant’s interests. Again, this seems unlikely to be satisfied in promotional material.

Advertising Regulation

The regulation of advertising in the UK is conducted with reference to the CAP and BCAP Codes[1],  which contain specific measures dealing with the use of images of individuals that could be relied upon by players in making a complaint to the Advertising Standards Authority (“ASA”) in the event they are portrayed or referred to in advertisements without their permission. Although breaches of the codes would not provide the players with any right to compensation or other remedy from the advertiser, a successful complaint to the ASA would typically result in the ASA demanding that the advertiser withdraw the offending ad and publishing their adjudication against the advertiser. An example of this in the sports world is the ASA complaint lodged by David Bedford (a runner in the 1970s) against a TV advert for 118 118 directory enquiries services, in which he claimed his image had been exploited by the actors caricaturing him. No action was taken against the ads, despite them being held to be a breach of advertising rules, in part because it was not clear that Mr Bedford had actually suffered any financial loss as a result.

 

The post Data in Sports appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
https://dataologie.com/data-in-sports/feed/ 0
Ring video doorbell : GDPR and Privacy – what homeowners need to know https://dataologie.com/1939-2/ https://dataologie.com/1939-2/#respond Wed, 27 Oct 2021 16:30:35 +0000 https://dataologie.com/?p=1939 Ring video doorbell : GDPR and Privacy – what homeowners need to know   A recent case in the Oxford County Court highlighted the perils for homeowners of operating a Ring product to protect their properties. Ring products, such as smart doorbells and security cameras, are becoming ever more prevalent. Perhaps a bigger takeaway is […]

The post Ring video doorbell : GDPR and Privacy – what homeowners need to know appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
Ring video doorbell :

GDPR and Privacy – what homeowners need to know

 

A recent case in the Oxford County Court highlighted the perils for homeowners of operating a Ring product to protect their properties. Ring products, such as smart doorbells and security cameras, are becoming ever more prevalent. Perhaps a bigger takeaway is that the homeowner who installed the cameras was found to be a “data controller” under the definitions of the GDPR by virtue of recording the neighbour, and thus subject to the substantial fines the privacy law provides for.

 

They have advanced motion and audio detection, including live voice and siren response capabilities. Ring’s recent acquisition by Amazon has also pushed down the price of these ‘Sherlock Holmes’ style devices, making them affordable to the average household.

 

What are Ring Doorbells?

 

Developed by Ring LLC, a home security technology company owned by Amazon, Ring Doorbells are wifi-enabled smart doorbells intended to deliver an added layer of safety to home owners – with a camera installed on the doorbell to let owners screen visitors.

 

The devices have built-in motion detection and can be connected to existing doorbells through wiring or attached to doors as stand-alone video doorbell devices, with two-way talk letting home owners speak to those on their doorstep.

 

Such smart doorbell devices are popular in countries worldwide.

 

What your Ring doorbell track?

Ring is, first and foremost, a surveillance tool. It’s marketed as helping you surveil your surroundings, but don’t forget that it’s keeping track of you and your family as well. Ring — and Amazon, its parent company — knows your name, email, postal address, and phone number. It also knows the geolocation of your phone, information about your Wi-Fi network and signal strength, and your product’s model, serial number, and software version. If you use Facebook or another third-party login, it also can “obtain information” from that third party.

And of course, if you go to their website, it also tracks with cookies, web server logs, web beacons, “and other technologies.” According to their Privacy Policy, any information gathered on their sites or social media may be used for advertising.

Finally, Ring videos and photos are stored on Amazon’s servers for up to 60 days.

What does ring do with my data?

Ring uses your data to provide the services you’ve paid for — in other words, a video doorbell — and while they don’t “sell” your data, they do say in their Privacy Policy that they might “share” it with “service providers who perform services” for them — including marketing. In other words, your data is likely shared with data aggregators in order to serve you ads. Additionally, we all know that Amazon loves to get their hands on as much information about customers as possible, which means Ring data goes into that big aggregated pool Amazon has on you.

Ring already overtly collects a lot of information, but there are things they could figure out based on the content of your videos and photos. Things like: when you’re home, how many packages you get, information about your neighbourhood and neighbours, and so on.

And while there’s no evidence so far that Amazon is viewing those videos and photos, they do have access to them and could theoretically watch them. (In fact, Amazon let workers in the Ukraine annotate Ring videos without consent.) They also have demonstrated that they’re more than willing to comply with police: they reportedly complied with 57 percent of requests from law enforcement in 2020 and 68 percent in 2019, after Ring owners refused to give over footage themselves.

There are also reports that Amazon is testing out facial recognition technology on their Ring cameras, which opens up a whole other can of scary privacy concerns, especially when you take Amazon’s police partnerships into account. One only has to look to the use of facial recognition by law enforcement in the UK to see how quickly that situation can be used to oppress citizens.

And then there’s the issue of security. While Amazon is pretty good on that front, users generally aren’t. Anything from an unsecured network to a weak or stolen Wi-Fi password could let malicious actors gain access to the very sensitive information on your Ring. So if you do choose to get on, make sure it’s protected by following strong password best practices and updating regularly.

How to Protect Your Doorbell From Hackers

Good security hygiene can keep your Ring doorbell safe from hackers. Here are some tips to keep your Ring doorbell safe and secure from outside attacks.

Update Passwords

Though a seemingly simple practice, most people rarely update their passwords. What’s worse, they may use the same passwords for all their accounts.

Since most hackers use credential stuffing to hack passwords and account information, to say passwords should be updated regularly would be an understatement.

It is essential to switch passwords regularly and use separate ones for all accounts. This way, even if your Ring gets hacked, at least the problem is isolated.

You can also opt for secure password-generating services to ensure your passwords are always up to date and secure.

Enable Two-Step Verification

Two-step verification adds an extra layer of authentication to ensure your account information is not shared in the event that your password is compromised.

Ring does come with a two-step verification feature—that most users are not aware of as it is not enabled by default. This feature can be enabled directly from the Ring app.

Once enabled, every time you log into your Ring account, a one-time password will be sent to your associated email address. You will then be prompted to enter the six-digit key to log in successfully. Keep in mind that the code must be entered within 10 minutes, after which it will expire (requiring you to request a new one).

Add a Shared User

Do you want your friends and family to access your Ring in case of emergencies? As a rule of thumb, you should refrain from sharing login information with anyone.

Fortunately, the Ring app and Video Doorbell come with a flexible feature for adding a “Shared User” to your account. This way you can still provide Ring access to others while keeping your account information secure.

Monitor and Delete Old Footage

It’s always best to delete your old video footage from your Ring app. With more footage available, potential hackers would have more information to access and pose a security risk.

Also, if you see any footage that seems unfamiliar, it’s a good indication that your Ring has been compromised.

Do Not Share Footage

Along with deleting old footage, you should also refrain from sharing your Ring Video Doorbell footage with anyone. This includes any social media platform and even Amazon Sidewalk.

Even highly secure platforms can increase the likelihood of a security breach on your devices, so it’s important to keep your sensitive data safe as well as private.

Invest in an Antivirus Solution

Having a robust and reliable antivirus or firewall solution to protect your Ring device from unauthorized intrusions is a must, even if you are taking all other precautions.

You should also keep your device updated with the latest software to take advantage of new security updates and patches as Amazon is continuously updating their devices.

Are you breaking privacy laws by having a Ring doorbell installed? 

Under Article 8 of the Human Rights Act 1998, respect for your private and family life is a legal right. This includes intrusion into your home life. These rights have been cemented in case law and the legal test is: do you have a ‘reasonable expectation’ of privacy? If so, then such privacy is protected at law. This would normally apply to someone’s home.

Under the Data Protection Act 2018, someone recording you while you are in the bounds of your property would ordinarily be a ‘controller’ of your ‘personal data’. They would then have a duty under this Act to ‘process’ (i.e. ‘use’) such data in a ‘fair and transparent’ manner. So if someone was recording you on your land without your permission or consent, then it could be argued that they have not processed your personal data in a fair or transparent manner. The ICO guidance on CCTV suggests that filming within the confines of your own home and garden falls outside of the legislation and is ok, but it is not always possible to adjust the camera on most video doorbells to avoid recording the pavement, your neighbours or other passers-by.

So if you have a Ring product (or similar device), how do you avoid infringing your neighbour’s privacy and data rights? The following tips are recommended:

  1. Adjust the motion and audio ‘zones’ on your Ring device to ensure they do not include your neighbour’s property
  2. Attach a Ring ‘warning sticker’ (which come included with every Ring device) to your front/back door to make people aware that they are being recorded if they enter your land.  Ideally, the sticker or sign should tell people that recording is taking place, and why and give your contact details.
  3. Before you install your device, speak to your neighbour and assure them that the device will not record them or their property and that you will adjust the device zones accordingly. Tell your neighbour that if they have any concerns or questions, they should contact you in the first instance.
  4. Follow the conversation up with an email to confirm what was said, so you have a paper trial.
  5. If your neighbour continues to complain, keep a written note of all conversations (and copies of any emails and texts) and take legal advice as soon as you are able.
  6. Ensure you don’t capture more footage than you need to achieve your purpose in using the device, which will normally be to deter criminals or divert parcels, rather than snooping on your neighbours.
  7. Regularly review your device zones and settings to ensure that it does not encroach on your neighbour’s property. Keep a record of such reviews.
  8. Ensure the security of the footage you capture – in other words, make sure the camera is properly secured and nobody can watch its footage without good reason.  Many video doorbells will archive footage to the cloud.  You should not use it or share it with others.
  9. Only keep the footage for as long as you need it – delete it regularly, and when it is no longer needed.
  10. Ensure the product is only operated in ways you intend and can’t be misused for other reasons. Anyone you share your property with, such as family members who could use the equipment, need to understand the importance of not misusing it.

The post Ring video doorbell : GDPR and Privacy – what homeowners need to know appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
https://dataologie.com/1939-2/feed/ 0
CHALLENGES AND RISKS INVOLVED WITH DATA RETENTION https://dataologie.com/challenges-and-risks-involved-with-data-retention/ https://dataologie.com/challenges-and-risks-involved-with-data-retention/#respond Mon, 04 Oct 2021 16:20:28 +0000 https://dataologie.com/?p=1911   The risks of over or under retention Organizations want to be conscious of the legal guidelines that pertain to their personal data processing. Personal data have to be kept lengthy adequate to comply with applicable legal responsibility. The minimum or maximum retention periods may be dominated by the Laws. In contrast, scenarios laws might […]

The post CHALLENGES AND RISKS INVOLVED WITH DATA RETENTION appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
Dataologie - Data Management

Dataologie – Data Management

 

The risks of over or under retention

Organizations want to be conscious of the legal guidelines that pertain to their personal data processing. Personal data have to be kept lengthy adequate to comply with applicable legal responsibility. The minimum or maximum retention periods may be dominated by the Laws. In contrast, scenarios laws might also no longer specify retention periods and establishments will want to judge for themselves a suitable retention period which they can justify.

 

What are the risks?

Organizations might expose themselves to risks if they keep personal data for longer than necessary, or indeed not keep it long enough.

 

1.1 Information security risks

The impact of a personal data breach could be significantly worse for an organization that is keeping personal data for too long. For example:

•           the volume of records involved in the breach may be larger and could affect far more individuals.

•           if a regulator investigates and discovers certain data concerned in the breach had been stored for longer than necessary, in breach of the law, enforcement action may be greater and doubtlessly more severe.

•           damage to the organization’s reputation could be much greater.

•           if the organization is a processor acting on behalf of a controller, it may also face legal action from the controller.

•           there can be more queries or class actions on behalf of the people who have been affected. It is ought to increase complaints from people asking why their data has been stored for so long.

 

1.2 Legal risks

Legally defined data retention periods generally exist to shield the interests of people. While the law requires an organization to maintain personal data for a stipulated period, appropriate data must be stored at least long enough, to these legal obligations.

 

If an organization fails to hold records for the stipulated period, it exposes itself to the risk that it may not be able to comply with the pertaining laws and may also be undermining the interests of people.

 

1.3 Contractual or commercial risks

Certain personal data needs may additionally want to be held to meet contractual or commercial terms, such as:

•           personal data collected as part of a sale, or to provide a service between an organization and its customers.

•           personal data necessary for ancillary products or services, and to substantiate guarantees or warranties

•           personal data which is encompassed between a data controller and its processor, within a contract.

 

The risks linked in not maintaining this data comprise responding to complaints or litigation from customers, or regulatory enforcement.

 

1.4 Customer expectations

Organizations will be expected to process customer’s data to respond to their needs, such as:

•           answering customer service queries;

•           responding to complaints; or

•           changing their preferences.

 

In situations where there is no applicable law concerning the retention period for personal data, an organization will nonetheless need to keep it for a stipulated period to meet its customers’ reasonable expectations. Similarly, once a customer contract ends, or lapses, a customer might not expect an organization to store their personal data any longer.  Suitable retention periods must balance the rights of all parties and their interests.

 

1.5 Reputational risks

All the above risks could also result in reputational damage for an organization that fails to meet its legal obligations, contractual obligations, or customers’ expectations

 

1.6 People and process challenges: winning hearts and minds

Examine how to get support from senior leadership.

•           You will need to confirm who makes the final decision on data retention periods and who supports them to implement these periods.

•           Agree on the best approach by consulting with your stakeholders.

•           Change is inevitable, so adopt a flexible approach.

•           Internal awareness – consider how best to communicate your data retention policy and schedule across the teams who manage personal data and the technology teams who will support them with the systems.

•           External transparency – consider how to notify your customers/clients/supporters about how long you will keep their data, for example, in your privacy notices. How much detail will you give about specific retention periods?

 

You will need to build strong relationships with data owners, but also with your technology team – particularly those who are responsible for the IT systems which hold the data.

 

To encourage people to help you to implement successfully, you will need to build strong relationships with your stakeholders. Help your colleagues understand data retention and how you have made decisions.

 

You will need to be able to clearly state the benefits of implementing data retention policies and practices so that data retention becomes part of a wider topic of ‘How do I use this information to drive my business forward.

 

1.7 Technology challenges

You may face some real situations whilst trying to roll out the data retention policy and schedule, for instance:

•           legacy systems may be inflexible and sometimes they have limited data destruction capabilities.

•           decommissioned systems, or systems due for decommission, may still hold personal data which will need to be destroyed.

•           data held on backups.

•           business continuity risks (such as if you need to restore data that has been deleted).

 

How can DataOlogie help you?

We can solve your legacy and current data retention issues and support you in defining data retention policies, schedules and implement this in your organisation, so you have one less thing to worry about.

The post CHALLENGES AND RISKS INVOLVED WITH DATA RETENTION appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
https://dataologie.com/challenges-and-risks-involved-with-data-retention/feed/ 0
Article 27 – UK & EU Representative services https://dataologie.com/article-27-uk-eu-representative-services/ https://dataologie.com/article-27-uk-eu-representative-services/#respond Mon, 04 Oct 2021 14:50:40 +0000 https://dataologie.com/?p=1907 Article 27 – UK & EU Representative services The UK entered a period of transition which ended on 31st December, 2020, as the Brexit uncertainty ended with the passing of the withdrawal agreement bill. Data controllers or processors are under the obligation to designate a representative in the Union, per GDPR Article 3(2). An unestablished […]

The post Article 27 – UK & EU Representative services appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
Dataologie Banner

Dataologie Banner

Article 27 – UK & EU Representative services

The UK entered a period of transition which ended on 31st December, 2020, as the Brexit uncertainty ended with the passing of the withdrawal agreement bill.

Data controllers or processors are under the obligation to designate a representative in the Union, per GDPR Article 3(2). An unestablished controller or processor to the Union, but subject to the GDPR has to designate a representative in the Union, failing which, there shall be a breach in the regulation.

 

Who is a ‘representative’ and whom does it apply to?

 

A representative is someone who is a delegate of the organization they represent; one who can communicate with people, as well as data protection authorities on behalf of the organisation in relation to data protection matters. Organizations no longer mounted in the EU are required to designate a representative in an EU member state, if the organisation collects personal data of the people in the EU, per GDPR. Organisations with obvious intentions to provide services or goods to people in the EU also come under the purview of GDPR. Following Brexit, organisations in the UK will be subject to the equal requirements, as they will no longer be mounted in the EU.

In addition to this, organisations no longer based totally in the UK who are supplying goods or offering services to people in the UK or monitoring their behaviour are required to designate a representative from the UK, in order to comply with the new data protection laws following Brexit. This has been highlighted by the Information Commissioner’s Office (ICO), which has mentioned that ”the UK government intends that after UK leaves the EU, the UK GDPR will require organisations located outside of the UK, but which still have to comply with the UK GDPR, to appoint a UK representative”.

 

What does this mean in practice for organisations?

 

UK based organisations processing personal data require a representative that fulfils the obligations set out in Article 27 of the GDPR, in the EU.

Following the  Brexit transition period, this is what has changed:

  • Organisations established outside the EU and the UK. Following Brexit, these organisations need an additional representative. If the organisation’s present day  EU representative is primarily based in the UK, however the organisation sells to or collects personal data of individuals in the EU, an additional EU representative is required to comply with the GDPR. If the organisation’s present-day representative is based in another EU member state, but the organisation sells to or monitors people in the UK, a UK representative is required to comply with UK law.

Alternatively, it may additionally show inexpensive to appoint an outsourced representative with businesses in each EU and the UK which can act on the organisation’s behalf in each cases.

  • Organisations established in the UK: organisations established in the UK but which supply goods or offer services to, or monitor people in the EU need to designate a representative in an EU country following Brexit.
  • Organisations established in other EU countries: In compliance with the UK law, organisations established in the EU but not in the UK, which offer goods or services to, or monitor, people in the UK need to designate a representative in the UK following Brexit.

 

What do you need to consider when designating an EU and/or a UK representative?

 

  • Considering your present-day business operation, and its future, assess where you need a representative (the UK and/or EU)
    • Assess whether your organization foresees an expansion which may move to a new market. Will your organization need a representative in the UK and/or the EU?

 

  • Asses your business and find the best possible option to minimise the cost of designating representative(s) (e.g. a representative designated in the jurisdiction itself).
    • While a UK representative is notable easy in terms of the representative’s location, non-EU businesses will want to determine cautiously when deciding where to designate their EU representative.
    • If an organisation processes data from people in multiple EU countries, the representative shall remain easily accessible to the people in all those countries and must be able to communicate with the people and supervisory authorities of these countries, in the language spoken by them.

An outsourced EU representative with a global presence will make it less difficult to have a representative without difficulty available to people and supervisory authorities in each of these countries, with the language capabilities required to speak with them.

The post Article 27 – UK & EU Representative services appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
https://dataologie.com/article-27-uk-eu-representative-services/feed/ 0
GDPR – Here’s What You Should Know Before Collecting Customer Personal Data https://dataologie.com/1815-2/ https://dataologie.com/1815-2/#respond Thu, 16 Sep 2021 22:09:29 +0000 https://dataologie.com/?p=1815 The post GDPR – Here’s What You Should Know Before Collecting Customer Personal Data appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
Data is everywhere and smart companies know how to use customer data to their advantage. If you regularly harvest customer data to understand consumer patterns and for remarketing purposes, you must know about the rules and regulations that protect customers from unethical data harvesting practices. The GDPR – Data Protection Act 2018 (DPA 2018) in the UK, protects customer personal data and prevents it from being misused and protects it. Here are points to know about the Data Protection Act 2018 when processsing customer data.

UK GDPR – The Data Protection Act 2018

The Data Protection Act first came into practice in 1998, two days before the GDPR (EU General Data Protection Regulation) was introduced to the general public. The GDPR and the DPA are set to protect customers and their data.

There are subtle differences between the two acts. For instance, the GDPR requires companies handling criminal data to have official authority, the DPA does not. If your company caters to the UK and the EU, you should consider brushing up on both acts. In this article, we will focus more on the GDPR.

The major difference between the DPA 1998 and the DPA 2018 is that the latter requires companies to be more transparent with their data harvesting methods, how they plan to use customer information and to reproduce, replace or remove data if requested by respective customers.

1. Processed Lawfully, Fairly and in a Transparent Manner

All personal data that is provided by customers who know where the data is being (or going to be) used. This principle prohibits companies from extracting data without the customer’s knowledge and informing them through a Privacy Policy/Notice (We can help you draft a Privacy Policy for your company).

For instance, asking for customer email addresses to build a company newsletter is deemed ethical as long as customers know how their mails will be used (marketing, connecting, converting etc). The email addresses cannot be harvested for marketing purposes and later sold to a third party company without explicit consent.

2. Purpose Limitation

Data must be ‘collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.’ This simply means that customers must know why the data is being collected.

Companies cannot use the data for anything other than what was proposed. Companies in the U.K should consider registering with the Information Commissioner’s Office (ICO) of how and why they want to collect certain data. Companies that process personal information for payroll related data or for maintaining the public sector are the companies exempted from this policy.

3. Data Minimisation

This principle was created to streamline customer data and harvest as little information as possible. It protects customers from giving information that has no use in the company.

Data minimisation works in three important steps. All data must be:

Adequate – Companies must have enough data to successfully carry out their purpose

Relevant – All data must be collected for a specific purpose

Necessary – Companies can only collect strictly necessary information

4. Accuracy

Accuracy covers a wide range of data protection rights. According to the GDPR, all customer information must be deemed accurate. Depending on the type of company, incorrect information must either be removed or be marked as ‘incorrect’. Article 5 of the GDPR states that all personal data must be ‘accurate where necessary’.

5. Storage Limitation

Storage limitation controls how long a company can store customer data. It protects customers from unnecessary marketing when they are no longer a prime candidate for a business. Companies cannot keep customer information after the purpose of the information is fulfilled. There is no set duration for storing customer data but this principle prevents enterprises from keeping data forever. Companies must ensure customer data is regularly screened and that all outdated data is removed on time.  It is recommended to draft data retention schedules for category of personal data or record and then remove data in accordance with the retention schedule.

6. Integrity and Confidentiality

This is perhaps one of the most important principles in the DPA because it deals with online safety. The DPA outlines that all customer data must be handled ‘in a manner [ensuring] appropriate security, protection against unlawful processing, accidental loss, destruction or damage.’

You must take essential cyber security measures to make sure your customer’s identities and data are safe. While it is not mandatory, companies that handle delicate customer information should consider getting an official certificate, like the ISO 27001, to solidify their cyber security knowledge, or Cyber Security essentials certification.

7. Accountability

The final principle puts everything together and deems the company accountable for the data harvested and stored. This regulation reinforces all the principles above and forces the company to keep track of all customer information.

Companies must be able to produce documentation that proves their compliance with the GDPR when required. They must also be able to prove that their data protection methods are sufficient.

How DataOlogie can help you

It may seem overwhelming at first but if you are looking out for your customer’s best interests, these regulations will come to you quite naturally. As long as you are making sure your customers are safe, their data is accurate, safely stored and not used for unethical reasons, you will not get in trouble with the law.

Struggling to manage customer data? Dataologie has deep knowledge of industry and data protection laws and regulations including the GDPR and can help you company solve for risks and issues and adhere to the GDPR. Let us give you a helping hand with the customer data protection process so that you can excel in what you set out to do! All the best!

Are you following the GDPR? Or are you struggling to keep your head above water? Tell us all about it in the comment section below.

The post GDPR – Here’s What You Should Know Before Collecting Customer Personal Data appeared first on DataOlogie | When Data Matters | Data Protection | Data Management .

]]>
https://dataologie.com/1815-2/feed/ 0