Tag: general data protection regulation

Bird & Bird Guide to the General Data Protection Regulation

Bird & Bird guide to the General Data Protection Regulation by Bird & Bird

The changes which are to be ushered in by the GDPR from Friday 25 May 2018 are substantial and ambitious. The Regulation is one of the most wide ranging pieces of legislation passed by the EU in recent years, and concepts to be introduced such as the ‘right to be forgotten’, data portability, data breach notification and accountability (to call out only a few) will take some getting used to. Even its legal medium - a regulation
not a directive - makes the GDPR an unusual piece of legislation for data protection lawyers to analyse.

 

This guide seeks to summarise the key changes that the new law will bring and to highlight the most important actions which organisations should take in preparing to comply with it.

IANAL. Bird & Bird are.

GDPR : Devil in the Details

GDPR: A Compliance Quagmire, for Now by Tara Seals

There’s also a grey area around accountability and proof of data-handling compliance. “The GDPR requires that you can show evidence that you’ve received a request and taken action in an appropriate timeframe,” Klassen explained.

And that, he explained, carries its own set of new privacy considerations, many of which will be challenging for U.S. companies looking to comply with the regulation.

“It gets tricky,” he said. “When an individual makes a request, the company has the right to ask for proof of identity, because after all, that could be catastrophic if they erase the wrong person’s information or return a different person’s information. So for instance, Google requires you to take a picture of your passport—then the question becomes whether you’re giving them information that’s more sensitive than the data you’re looking to access.”

Further, companies can’t erase that proof of ID.

“A data subject can say, that wasn’t me, prove that it was,” Klassen explained. “So if they don’t have that proof, they’re in trouble.”

Ugh! My head hurts thinking through all the technical problems created by this piece of legislation that was most likely created by lawyers and bureaucrats without an understanding of technology or process. I can't even get a straight answer as to whether my simple blog needs to be compliant nor can I afford to pay a lawyer to answer that question. And even if I needed to be compliant, I am certain it would have a financial impact on my ability to operate this website.

You're a photographer in an E.U. member country. You snap a photo of someone or group of people in public or at an event. You get signed content to use the image for news reporting or your website. The image is published in a newspaper/magazine/website. One of the people in the image later object to its use and wants the image removed. What do the photographer and publisher do? How do you recall and destroy all copies of the newspaper or magazine? How do you ensure that the online image has not been downloaded and copied elsewhere by people /entities you have no control over?