GDPR: One Year In

On May 25, 2018, the GDPR went into effect, putting the world’s attention on data privacy. Since the enforcement deadline has passed, there have been questions about how to comply with the law, who must comply with the law, how the law will be enforced, and so much more. Now a full year later, let’s take a look at developments and predictions for GDPR throughout 2019 and beyond.

What is the Future of GDPR Certifications?

While the EU announced the GDPR enforcement deadline nearly two years before the law went into effect, many organizations were left scrambling last-minute to comply with the law. In large part, this was due to the ambiguity of the law, leaving organizations unsure if it actually applied to them and the data they collected. A year later, the future of official GDPR certifications is still relatively unclear, but the European Data Protection Board (EDPB) recently issued guidelines that will assist in certifying controllers and processors as GDPR-compliant.

GDPR Enforcement Updates: Who’s Been Fined?

Perhaps one of the most talked-about components of GDPR was the potential fines organizations were faced with. According to the law, organizations who fail to comply with GDPR could face fines of up to €20 million or 4% of annual global turnover – whichever is greatest. For many enterprises, this meant that non-compliance could lead to tens of millions of dollars in fines, or worse, bankruptcy. As the first few months after enforcement passed, EU supervisory authorities saw an influx of reported data breaches, with DLA Piper indicating that nearly 60,000 data breaches were reported since the May enforcement date. However, enforcement of the law has been relatively small with only three companies having been fined: Google, an unnamed German social media platform, and an Austrian entrepreneur.

  1. Google: Receiving the largest GDPR fine to date, Google’s €50 million fine by French regulator, CNIL, was the result of Google’s insufficient transparency and vague consent agreements.
  2. Social Media Platform: This German social platform received a fine of €20,000 from the German data protection authority, LfDl Baden-Wurttemberg, for failing to hash data subjects’ passwords, leading to a breach of personal information.
  3. Austrian entrepreneur: This business owner received a fine of €4,800 for placing an unmarked CCTV camera system outside of their establishment, unlawfully surveying a public sidewalk.

Will Facebook Be Fined Under GDPR?

The debate over whether or not Facebook will be fined under GDPR has been a hot topic since the law went into effect. In July 2018, the social media giant was hit with a €500,000 fine by Britian’s ICO due to the infamous Cambridge Analytica data breach. In recent developments, it was also discovered that Facebook has been storing the passwords of hundreds of millions of users in plain text. While the investigations of the social platform’s data privacy practices could take years, the outcome could help clarify GDPR requirements and expectations for the future.

How Has GDPR Influenced Data Privacy Laws in the US and Abroad?

GDPR was viewed as the top regulatory focus of 2018 and for good reason; however, it has also become the catalyst for many other data privacy laws going into effect around the globe. In the United States, the California Consumer Privacy Act went into effect, Washington state introduced the Washington State Privacy Act, and Congress has introduced several data privacy bills, including the American Data Dissemination Act (ADD Act) and the Social Media Privacy Protection and Consumer Rights Act of 2019. Internationally, there’s also been many developments in data privacy laws, many of which resemble GDPR, including: Canada’s PIPEDA, China’s Cybersecurity Law, Singapore’s Cyber Security Agency of Singapore, the Brazilian National Monetary Council’s Resolution No. 4,658, and many others. Throughout 2019 and beyond, it’s expected that many more data privacy laws will go into effect throughout the world.

In just one year, GDPR has had a tangible impact on the way the world views data privacy. If your organization has questions about GDPR compliance or complying with the many other data privacy laws either in effect or in the process of going into effect, contact us today.

More GDPR Resources

GDPR Readiness Webinar Series

10 Key GDPR Terms You Need to Know

The Cost of GDPR Non-Compliance: Fines and Penalties

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

Requirements for GDPR Data Processing Agreement

The GDPR has quickly reshaped attitudes towards data privacy around the world and has given EU data subjects more autonomy over how their data is used than ever before. Personal data increasingly flows between organizations because most businesses partner outsource some aspect of their business functions, creating webs of responsibility and oversight. However, with many ambiguous requirements for data controllers, processors, and sub-processors, entities might still have questions about certain requirements under the law, such as what must be included in a data processing agreement. These data processing agreements (DPA) are critical to ensuring the privacy of data subjects’ personal data. Let’s review what a DPA is, what needs to be included in a DPA, and examples of DPA clauses.

What is a Data Processing Agreement?

Article 28(3) of GDPR requires that controllers, processors, and sub-processors must enter into written contracts, or data processing agreements, in order to share personal data. DPAs establish roles and responsibilities for controllers, processors, and sub-processors, and create liability limitations.

Essentially, a DPA is a form of assurance that the processor or sub-processor performs their due diligence to ensure the privacy of personal data. For instance, if a controller and processor enter into a DPA and the processor experiences a breach, then the DPA would potentially limit the controller’s liability for breaches.

Data Processing Agreement Requirements

What needs to be included in a DPA? GDPR is very prescriptive when it comes to DPA requirements. Article 28(3) states that DPA’s must include specific details regarding the processing of personal data, including:

  • The subject matter of processing
  • The duration of the processing
  • The nature and purpose of the processing
  • The type of personal data involved
  • The categories of data subject
  • The controller’s obligations and rights

Additionally, DPAs must include specific requirements for processors:

  • The processor must only act on the controller’s documented instructions, unless required by law.
  • The processor must ensure that people processing the data are subject to a duty of confidence. This can be accomplished through employee confidentiality agreements or acceptable use policies.
  • The processor must take appropriate measures to ensure the security of processing. This can be accomplished through third party audit reports or information security questionnaires.
  • The processor must only engage with a sub-processor with the controller’s prior authorization and under a written contract.
  • The processor must take appropriate measures to help the controller respond to request from individuals to exercise their rights. This can be accomplished through features within software applications or through manual processes.
  • Taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments. Contracts should specify the type of information and timeframes required for breach notification.
  • The processor must delete or return all personal data to the controller at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage.
  • The processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations. GDPR is unclear regarding the extent to which controllers can exercise their audit rights so your contract should be specific about the nature of audit rights (frequency, type of audit, cost).

Examples of GPDR Data Processing Agreement Clauses

Whether you’re a controller entering into a DPA with a processor, or you’re a processor engaging with a sub-processor, ensuring that the specific wording of your DPAs meets these requirements may seem challenging. Fortunately, the European Commission has published model clause examples for controllers, processors, and sub-processors to reference. While these clauses are designed for international data transfers, standard clause language that’s been approved by the EU is used, which allows organizations to have access to real contract language that adheres to the requirements of Article 28.

Additionally, as many data controllers work with more than one processor or sub-processor, creating a new DPA for each partnership is daunting. This is why many service providers, such as Amazon Web Services and SalesForce, have made their DPAs publicly available online for controllers to use.

While the GDPR enforcement deadline has now passed, it’s never too late to start your compliance efforts. Have questions about creating a DPA? Want to learn more about how KirkpatrickPrice can help you achieve your GDPR compliance objectives? Contact us today.

More GDPR Resources

Which GDPR Requirements Do You Need to Meet?

GDPR Readiness: Are You a Data Controller or Processor?

10 Key GDPR Terms You Need to Know

The Cost of GDPR Non-Compliance: Fines and Penalties

Canada’s New Breach Notification Law: Preparation and Impact

On November 1, 2018, Canada’s Data Privacy Act amended the Personal Information Protection and Electronic Data Act (PIPEDA) to include Breach of Security Safeguards Regulations. Organizations subject to PIPEDA will now have to report breaches that pose “real risk of significant harm” to affected individuals to the Office of the Privacy Commissioner of Canada (OPC). What does this new regulation mean for organizations and how can they operate in a way that supports the regulation?

Why Did Canada Introduce a New Breach Notification Law?

The entire world is stepping up its game when it comes to privacy laws because of the continual growth of personal data sharing, unauthorized disclosures, and controversial uses of personal data. PIPEDA is Canada’s federal privacy law that regulates how organizations and businesses handle personal information. Like many privacy laws, it applies when personal information is collected, used, or disposed of for commercial purposes.

The purpose of PIPEDA is similar to that of GDPR or CCPA: to facilitate growth in electronic commerce by increasing the confidence of digital consumers, and to contribute positively to the readiness of Canadian businesses. PIPEDA aims to balance the privacy rights of individuals with the legitimate needs of business. Because so many Canadian organizations are required to comply with GDPR, this new regulation will further align PIPEDA with GDPR.

What Does My Organization Need to Know About Canada’s New Breach Notification Law?

If you’re not familiar with PIPEDA, Canada’s Data Privacy Act, or the new Breach of Security Safeguards Regulations, the following basic principles will help you understand the basics of Canada’s new breach notification law:

  • PIPEDA defines a breach of security safeguards as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
  • PIPEDA defines significant harm as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
  • Whether the breach of security safeguards impacts one individual or thousands, it still needs to be reported if there is a real risk of significant harm.
  • Under PIPEDA’s accountability principle, even if an organization transfers personal information to a third party for processing purposes, it’s still responsible for the security of that personal information. Organizations must have appropriate contractual agreements in place to ensure that the relationship complies with PIPEDA.
  • Under the Breach of Security Safeguards Regulations, the contents of notification must include the description and/or cause of the breach, date or period of the breach, description of the personal information that was breached, number of individuals impacted, what the organization has done to reduce risk of harm to victims, how the organization will notify the victims, and a point of contact for information about the breach.
  • When a breach has occurred, the organization must maintain a record for a minimum of 24 months.
  • Failure to report a breach that poses real risk of significant harm could result in fines of up to $100,000 for each individual affected by the breach, if the federal government decides to prosecute a case. Under the current law, the OPC cannot issue fines or corrective actions, only advise organizations on how to make changes.

How Can Organizations Prepare?

This new breach notification law was released in April 2018, but went into effect in November, giving organizations six months to prepare themselves. Some reasonable preparation steps for your organization include the following:

  • Create a formal incident response plan that has been tested and implemented.
  • Create breach notification templates that include fields for all required content.
  • Conduct a formal risk assessment to determine the likelihood of a breach and the factors that are relevant to real risk of significant harm.
  • Perform data mapping to determine where personal information is collected, processed, or stored.
  • Assess user access activities and consider operating under a business need to know basis.
  • Stay aware of other breaches in your industry and learn from them. Don’t make the same mistakes as your competitors.

More Resources

OPC’s Tips for Containing and Reducing the Risks of a Privacy Breach

OPC’s Self-Assessment Tool for Securing Personal Information

OPC’s Breach Report Form

Voice-Enabled Devices and Data Privacy: Lessons Learned from Amazon

“Alexa, what’s the weather like in Nashville today?” Amazon’s Alexa, Apple’s Siri, the Google Assistant – the list of voice assistants and voice-enabled devices seems to just keep growing. “Hey Google, could you set an alarm for 8:00 AM tomorrow?” Their basic goal is to make our lives easier, right? Through voice assistants’ language processing abilities, they can complete all types of tasks – stream music, set an alarm, take notes, order products, smart home functionality, and integration with other applications. Voice assistants and voice-enabled devices live in the bedrooms, kitchens, and living rooms of millions of users. Voice assistants and voice-enabled devices are simultaneously helpful and vulnerable; what threats do they pose to data privacy? How do companies protect the data that users give Alexa, Siri, and the Google Assistant?

Amazon’s Data Privacy Worst Case Scenario

Under GDPR, any EU data subject may request that a company send them the entirety of the data collected about them, so a German Amazon user did just that. Amazon sent back fairly average findings – Amazon searches, orders, etc. – but also 1,700 voice recordings and transcriptions. The issue? This user doesn’t own any Alexa-enabled devices. He listened to the voice recordings to see if they were connected to him in some way, but concluded that it was an error on Amazon’s part. When he discovered this information leak, the user contacted Amazon but never heard back.

This story broke when the user went to German magazine c’t with his concerns, which eventually led to the identification of the voices in the recordings. C’t reported, “We were able to navigate around a complete stranger’s private life without his knowledge…The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music. Using these files, it was fairly easy to identify the person involved and his female companion. Weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture.” This case is proof that even when users don’t think they’re giving up personal data to voice assistants, the culmination of that data can lead to a full picture of who they are, where they are, their habits, and their community. Our digital footprints reveal so much about us. Voice assistants must store or have access to stored personal data in order to personalize the user experience, resulting in a cycle that is ever-increasing users’ digital footprints.

In an effort of due diligence, c’t decided to contact the user behind the voice recordings. C’t report, “We couldn’t find a phone number, so we used Twitter to ask the victim to contact us. He called back immediately and we explained how we found him. We had scored a direct hit and Neil Schmidt (not his real name) was audibly shocked when we told him about the personal data Amazon had sent to a stranger. He started going through everything he and his friends had asked Alexa and wondered what secrets they might have revealed. He also confirmed that we had correctly identified his girlfriend.”

Lessons Learned from Amazon’s Mistake

Obviously with the purchase of a voice-enabled devices and use of Alexa, Siri, or the Google Assistant, a user is agreeing to terms and conditions that address data privacy concerns, but when these terms and conditions aren’t upheld by the data controller or processor, the foundation of trust is damaged.

Amazon’s reaction to this data privacy incident was disappointing. The first misstep occurred when Amazon didn’t even notice their mistake. Then, when the user notified Amazon of the data privacy incident, he reported that Amazon never responded. When Amazon did recognize this incident, there was seemingly no timely notice to a data protection authority or the victim. After c’t got involved, Amazon finally contacted the user and victim about the mistake and an Amazon spokesperson stated, “This unfortunate case was the result of a human error and an isolated single case.” Was Amazon planning to respond to this case, or did the media attention prompt them to address the situation?

The benefit of regulations like GDPR and CCPA are new ways to hold organizations accountable for securing data subjects’ personal information. Building customer trust is a difficult task in this day and age; digital consumers are fearful of unwanted follow-up, sales pitches, cold calls, and spam. Organizations who demonstrate a commitment to privacy regulations like GDPR and CCPA have the potential to rebuild the trust that many digital consumers have lost. This trust, in turn, may actually result in greater sharing of personal data.

The paranoia around voice assistants and their listening-in abilities will, hopefully, not fade anytime soon. Users must be aware of the relationship they’re creating with companies like Amazon, Google, and Apple by inviting them to listen into their lives. Likewise, data controllers and processors must protect personal data with the appropriate controls and care.

If any data privacy regulations apply to your organization, contact us today to avoid situations like this. We want to empower your organization to protect the data you hold and ensure the privacy of your customers.

More Data Privacy Resources

CCPA vs. GDPR: What Your Business Needs to Know

Privacy Policies Built for GDPR Compliance

Investing Where It Matters: Unbounce’s Commitment to GDPR Compliance

Investing Where It Matters: Unbounce’s Commitment to GDPR Compliance

There’s no doubt that the GDPR is reshaping the marketing industry, and yet many marketers remain unsure about what the law actually requires. The regulation is long, confusing, and in many areas, vague. Plus, there’s immediate tension between GDPR requirements and marketing principles. A marketer’s goal is to gain identification information, while GDPR’s goal is to limit identification information to what’s strictly necessary.

Let’s take a look at how Unbounce, the marketing industry’s leading landing page and conversion platform, made its journey toward GDPR compliance.

Unbounce’s Commitment to GDPR Compliance

Unbounce has powered half a billion conversions over the past nine years. How does a platform that processes so much personal data ensure compliance with such a revolutionary, yet ambiguous data privacy law? By committing to compliance from the start. To learn about the methodology behind Unbounce’s GDPR compliance efforts, we spoke to Bethany Singer-Baefsky, Unbounce’s Data Protection Officer (DPO). As DPO, she works closely with Unbounce’s security team to analyze vendor compliance management, advise on the privacy implications for new projects, and provide resources and advice for teams whose jobs require handling personal data.

What did “compliance from the start” mean for Unbounce? In our conversation with Singer-Baefsky, she tells us, “After Safe Harbour was overturned in October 2015, Unbounce began paying close attention to developments in EU data protection law. We took note when Privacy Shield was adopted, and followed the debates surrounding what would become GDPR. The laws were changing around the same time that Unbounce was looking to open up an office in Berlin, so we have been committed to compliance from the beginning. Compliance implementation, including obtaining buy-in, scoping, having regular progress meetings, completing infrastructure changes, etc., began in earnest about a year before the law went into effect.” It took collaboration across all teams to ensure that initial GDPR implementation was finished before the deadline. Developers dedicated over 5,200 hours to GDPR compliance, marketing and product marketing teams treated compliance like a product launch, and the support team fielded a deluge of customer questions. Singer-Baefsky adds, “This was a team effort in every sense of the word.”

Unbounce created a landing page so that anyone could find up-to-date information regarding Unbounce’s GDPR compliance progress, FAQs, and additional GDPR resources. Singer-Baefsky explains, “Our support and sales teams, especially those team members based in Berlin, were beginning to field a ton of questions as we neared the implementation deadline. Our legal/compliance/security team is quite small, and we didn’t have the people-power to constantly answer questions and simultaneously work towards the ever-looming deadline. We met with our marketing and product marketing teams and decided to approach our comms from the point of view of a product launch. We wanted a place to educate customers about our GDPR compliance efforts, and we updated the page based on our progress and on feedback we received from visitors and our teams.” This landing page allows Unbounce to remain transparent with their current and prospective customers, plus they published a blog post that educates marketers about how to ensure their landing pages are GDPR compliant.

Is GDPR Compliance Worth It?

GPDR compliance costs organizations time, resources, and money. Even though GDPR compliance is an ongoing effort, Singer-Baefsky believes that making sure that Unbounce was prepared for the GDPR enforcement deadline was absolutely worth the cost. First, compliance is helping Unbounce meet its business objectives. Singer-Baefsky states, “Unbounce wants the world to experience great marketing. Great marketing builds and maintains trust, and data protection is what ensures that that trust remains earned. Beyond this, our European office and customer base represent a substantial investment into the European market; a failure to attain GDPR compliance would amount to a colossal business failure.”

GDPR compliance also gave Unbounce an opportunity to analyze its processes. Singer-Baefsky said, “This was a company-wide effort that absorbed our development and legal teams for months, but as overwhelming as that could be at times, it was also an opportunity to review the ways we store and process data, ensure our security and access controls were up-to-date, and get our documentation in order. The result is a product our customers, and the millions of consumers who land on their pages each year, can trust as well as a more mature risk management system and a renewed culture of privacy and security awareness.”

Unbounce’s GDPR compliance process can offer insight into steps other organizations can take to prepare for enforcement. GDPR compliance is daunting; it’s unlike other compliance frameworks, and marketers are not only confused, but also scared by it. Singer-Baefsky notes, “We’re all just doing what we can until enforcement begins in earnest and the EU starts recognizing third-party certifications.” Until then, let KirkpatrickPrice help you with your compliance efforts. For marketers who want a streamlined compliance approach, contact us today and let’s connect you with one of our privacy experts who can show you how KirkpatrickPrice can prepare you for GDPR compliance.

More About Unbounce

Build high-converting landing pages, website popups, and sticky bars in a fraction of the time it takes with a developer. Try for free at or find us on Twitter.

More GDPR Resources

How Does GDPR Impact the Marketing Industry?

Privacy Policies Built for GDPR Compliance

Inside Unbounce – GDPR: It’s Still a Thing!

GDPR Marketing Survey from Demandbase