I don’t think any of us will soon forget May 25th, 2018. The EU GDPR was the first law with global repercussions, and it required extensive organizational changes. The fact that non-compliance could result in severe penalties also made everyone sit up and take notice. In the ramp up to California’s CCPA and Brazil’s LGPD, smart multi-jurisdictional organizations are leveraging the hard work they put into the GDPR to also comply with these new laws. Our paper, Leveraging GDPR Compliance Initiatives to Comply with the CCPA and LGPD, can certainly help.
This year was certainly not a boring one for organizations processing personal data and the authorities regulating their activities. Below are the topics – and the accompanying tools – that drew the most interest from Privacy Officers in 2018.
Tracking the GDPR
The GDPR now fully applies across the EU. However, not all countries have met the deadline to ensure that the GDPR is also fully embedded in national law. So far, 23 EU member states and 3 EEA (European Economic Area) countries have finalized their legislation accompanying the GDPR. Six EU member states have not:
- Czech Republic
Additionally, Finland has recently finalized its legislative process, and the Finnish law will enter into application on January 1st, 2019.
Since EU member states are able to enact their own national laws to supplement the GDPR, there is the potential for small (and not so small) differences in obligations across the EU. Nymity tracks the national laws on a daily basis and provides updates to its subscribers through the Nymity GDPR Implementation Tracker™, which is part of Nymity Research™. The Implementation Tracker provides the most comprehensive and current GDPR information available, but we hold free quarterly update webinars. You can download our latest webinar, Tracking the GDPR - Q4 2018, below.
Over the course of several papers and blogs this year, we discussed legitimate interests as grounds for processing under the GDPR. The purpose was to help organizations determine if, and then document when, legitimate interests may apply.
Despite guidance from data protection authorities and other organizations, the legitimate interests ground is open to interpretation and difficult to grasp in practice. Deciphering when the courts will honour it can be complicated, so it is helpful to look at practical cases. Nymity and the Future of Privacy Forum collaborated to compile a report to help organizations better understand how to use and apply legitimate interests: Processing Personal Data on the Basis of Legitimate Interests Under the GDPR. Over 40 cases from 15 countries are discussed in the report, representing a wide variety of data processing activities. It gives examples of the balancing exercise in practice and the safeguards that were needed to tilt the balance and make the processing lawful. Gabriela Zanfir-Fortuna of the FPF, Joelle Jouret of the European Data Protection Board, Eduardo Ustaran, Partner at Hogan Lovells and I delivered a panel on the topic at the recent IAPP in Brussels. It was standing room only to over 550 attendees demonstrating the interest in this topic.
Stay tuned in the new year for information on how the upcoming Brazilian law will approach legitimate interests.
Data Subject Rights
Under the GDPR and many other laws around the world, individuals have the right to amend incorrect data or request the deletion of data that is no longer relevant. Individuals are able to learn which data organizations are collecting and keeping on them, why and how that data was collected in the first place, and how it is being used. The upcoming CCPA takes it a step further. It allows individuals to block any marketing activities undertaken with their data, as well as the sale of their data. And both the GDPR and CCPA provide for a right to data portability, allowing people to take their data from one organization to another.
Accountable organizations are tasked with ensuring that internal policies and procedures are in place to deal with the rights of data subjects, while meeting the strict deadlines that exist to provide a response. Our Nymity DSR Handbook can help.
California Consumer Privacy Act
Although the CCPA enters into application on January 1st, 2020, organizations need to be ready on day one of 2019. This is so they can comply with the 12-month look back for consumer requests for data processing disclosure. There is no time to waste. Our CCPA Compliance Toolkit equips Privacy Officers with the resources necessary to understand, assess, and develop a plan to achieve demonstrable CCPA compliance. And for organizations that have been focusing on GDPR compliance initiatives, it will help them leverage that work for CCPA compliance. And, our new Data Subject Requests Management tool can help you monitor and manage data subject requests efficiently and confidently.
Lei Geral de Proteção de Dados Pessoais
On February 15th, 2020, Brazil’s general law on the protection of personal data will enter into force. Like the GDPR, the LGPD is an omnibus law, covering many principles of data protection. Nymity has identified 24 provisions of the LGPD that contain accountability requirements for which some form of evidence would be required. These 24 provisions map to 43 privacy management activities from the Nymity Privacy Management Accountability Framework™. For comparison, the GDPR contains 55 mandatory privacy management activities. In the coming weeks, Nymity will release an LGPD Accountability Handbook, containing a full overview of the privacy management activities that we consider mandatory under the Brazilian law. It will also show the overlap between the GDPR and the LGPD on the Nymity Framework, so GDPR initiatives can be leveraged to comply with the new law. Watch for the LGPD Handbook coming soon.
If you would like to learn more about how Nymity can help you operationalize compliance with any and all of the 870+ privacy laws worldwide, please contact us.
Wishing you a happy, productive, and compliant New Year!