Welp. The year is finally over. The year we, as privacy professionals, thought might kill us dead at some of our more stressful moments. But we survived the implementation of the EU General Data Protection Regulation and the passage of California’s landmark Consumer Privacy Act, all in one calendar year. At this point, we’ve essentially proven ourselves immutable, no? How bad could the new ePrivacy Regulation really be, anyway?
What’s kind of cool about being the editor of The Privacy Advisor is that it serves as a sort of yearbook for us to look back at some of the biggest stories from 2018 — the things that mattered to us, maybe kept us up at night from time to time. Below is a list of the top 10 stories of the year, according to the number of reads each one got from loyal subscribers such as yourselves. They were written not only by the publications team here at the IAPP but by your peers — the contributors who help us keep this publication stocked with solid content month over month in the hopes that some of the information you’ll find, in some small part, helps you do your job as a privacy pro a little bit better.
Thanks for a great year. To 2019!
Many think of blockchain solely as the underpinning of virtual currency, but there are myriad organizations planning different kinds of applications for it. There’s just one problem: the GDPR. David Meyer spoke to with German MEP Jan Philipp Albrecht and a number of blockchain technologists to examine what happens when blockchain and the GDPR collide.
Determining an organization’s applicability under the General Data Protection Regulation is a complex topic, and many are left a bit confused while researching applicability under the monumental law. Oftentimes, there’s conflicting information. Kevin Kish, CIPP/E, tried to simplify things.
Certainly one of the biggest – and most surprising – stories of 2018 was the passage of the California Consumer Privacy Act of 2018. An IAPP examination found it will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises. Here, the IAPP’s Rita Heimes, CIPP/E, CIPP/US, CIPM, and Sam Pfeifle drilled down on some of the implications.
In what appeared to be panic mode, thousands of companies this year started pinging mailing lists to get affirmative opt-in consent (or often re-consent) from their subjects, ostensibly to comply with the GDPR. But, as Jennifer Baker found when she talked to leading privacy pros, that “re-consent everyone” approach could have been overkill.
Maybe you were processing biometric data like a boss up until the GDPR hit. But unlike its predecessor, the Data Protection Directive, the GDPR specifically singles out biometric data as a “sensitive” category of personal information and empowers member states to pursue divergent protections for biometric data. As such, data controllers who are processing or may process biometric data should take note, wrote Danny Ross, CIPP/E, CIPP/US.
Certainly since the GDPR came into force, data subject access requests are a problem for privacy pros. Not only because they’re a new process that must be implemented efficiently, but also because – as we’re hearing from those of you acting as boots on the ground – there are all sorts of phony DSARs going around. Here, Piotr Foitzik, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, offers some tips on how to verify your DSAR is legit.
Regardless of where the organization is established, the GDPR applies to controllers and processors processing EU citizens’ personal data. Organizations not based in the EU have to appoint an EU-based representative to comply. At the same time, the GDPR requires organizations to appoint a data protection officer in some circumstances. Thomas Shaw, CIPP/E, CIPP/US, examined: What is this EU representative role and how does it interplay with the sometimes overlapping role of the DPO?
It was a pretty big deal when, in February, at a meeting in Vancouver, British Columbia, the American Bar Association’s House of Delegates voted to approve a resolution on the IAPP’s Privacy Law Specialist accreditation for a five-year term. The credential is available to attorneys admitted to a U.S. state bar who pass the CIPP/US exam, as well as either the CIPM or the CIPT.
The mark of an organization’s commitment to data protection is shown through its data protection policy/statement/notice. A robust DP notice is essential. Thomas Shaw, CIPP/E, CIPP/US, and critiqued the pain points of one such notice in an effort to help you craft one that may be stronger.
Anyone paying attention to the ad tech space, particularly on Twitter, could easily tell you there’s been a growing tension among its players on the future of the industry. The central issue seems to center around whether ad tech can continue to operate as it has before the EU shifted its legal landscape on data protection and privacy, or if it will have to shift to a new model in order to be compliant. Angelique Carson, CIPP/US, (yours truly), had the story.