Data Protection and Privacy
7 likes4,389 views
The document outlines the evolution and implications of the European Union's General Data Protection Regulation (GDPR), which replaces the outdated 1995 Data Protection Directive. Key components of the GDPR include enhanced data subject rights, cross-border data transfer regulations, and stringent penalties for violations. Additionally, the privacy tech industry is rapidly growing in response to the increasing demand for compliance solutions.
Data Protection and Privacy
- 1. Data Protection & Privacy
- 2. Source: European Union: ECJ Inv alidates Data Retention Directiv e by Theresa Papademetriou | EU General Data Protection Regulation and what it means f or SaaS companies in 2017 and 2018 by Megan Lozicki, Niklas Skog, Diego Checa | GDPR – Timeline by Bird & Bird | A v isual timeline f or implementing the GDPR in the UK EU Data Protection Reform The EU 1995 Data Protection Directive was archaic and non-legally binding for every member state; reform was necessary to improve data protection and privacy 1995: The Data Protection Directive (DPP), officially Directive 95/46/EC is passed. The directive establishes that the ownership of personal data belongs to individuals, who have legal rights over the collection and processing of personal data. 2000: The US-EU Safe Harbour Framework are created as an addition to the 1995 DPP. US companies that comply with the principles and register their certification, such that they fulfill EU requirements, are allowed to transfer data from the EU to the US. 2011: Viviane Reding, the VP of the European Commission, introduces the EU data protection reform. 2012: The legislative proposal of the new General Data Protection Regulation (GDPR) is published and negotiations begin amongst European parliaments. 2015: The Safe Harbour framework is invalidated by the CJEU as a result of the Schrems vs Data Protection Commissioner case. 2016: The new GDPR is approved on 14th April. The EU-US Privacy Shield framework is approved on 12th July, to replace the Safe Harbour agreement. 2018: The GDPR will officially replace the 1995 DPP on 25th May.
- 3. General Data Protection Regulation The new regulation is expected to increase privacy for individuals and provide regulators with more power to take action against businesses in breach Extended Jurisdiction • Applies to all businesses processing personal data of data subjects who are in the EU, regardless of company location and where the processing is carried out Consent • Requests for consent must be intelligible and easily accessible, using clear and plain language • An affirmative action signalling consent is required • Consent should be as easily withdrawn as to give it • Requires parental consent for processing children’s personal data Right to Access • Data subjects have the right to obtain confirmation from the data controller as to whether their personal data is being processed, where and for what purpose Right to be Forgotten • Data subjects have the right to demand the data controller to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data Breach Notification • Mandatory to notify authorities within 72 hours of first having become aware of a data breach • Data processors must notify their controllers Source: EU GDPR | Top 10 operational impacts of the GDPR: Part 1 – data security and breach notif ication by Rita Heimes | MANAGE THE TOP 4 GDPR OPERATIONAL IMPACTS (PART I) by Donna Recchione | MANAGE THE TOP 10 GDPR OPERATIONAL IMPACTS (PART II) by Donna Recchione
- 4. General Data Protection Regulation Including hefty penalties for violations - fines of up to 4% of the company’s worldwide annual turnover or EUR 20M, whichever is higher Penalties for Violations • Fine up to 4% of the company’s worldwide annual turnover or EUR 20M, whichever is higher Cross-border Data Transfers • Personal data transfers permitted to a third country or international organization will be subject to compliance • In the absence of an adequacy decision, transfers are still allowed under certain circumstances, such as by use of standard contractual clauses or binding corporate rules Data Protection Officers • Large firms and companies that process specialized data must assign a qualified DPO for GDPR compliance Data Portability • Data subjects have the right to receive their personal data in a commonly used and machine readable format • They have the right to transmit that data to another controller Restricted Profiling • Data subjects have the right not to be subject to a decision based solely on automated processing, which produces legal effects or significantly affects them, without human intervention Source: EU GDPR | Top 10 operational impacts of the GDPR: Part 1 – data security and breach notif ication by Rita Heimes | MANAGE THE TOP 4 GDPR OPERATIONAL IMPACTS (PART I) by Donna Recchione | MANAGE THE TOP 10 GDPR OPERATIONAL IMPACTS (PART II) by Donna Recchione | Top 10 operational impacts of the GDPR: Part 4 - Cross-border data transf ers by Anna My ers
- 5. Source: 2018 Tech Vendor Report by iapp Privacy Tech Industry Driving the need for an array of solutions to decisively address a slew of privacy compliance challenges Activity Monitoring Consent Manager Data Discovery Data Mapping Pseudonymity Enterprise Communications Incident Response Website Scanning Assessment Manager
- 6. Privacy Tech Industry Leading to robust vendor growth and increase in solutions offered; with products targeting core compliance requirements accounting for >75% of the industry Source: 2018 Tech Vendor Report by iapp | 2017 Tech Vendor Report by iapp • Vendors are currently focusing on meeting core compliance requirements (via activity monitoring, assessment managers, consent managers, data discovery and data mapping) • Solutions targeting these areas make up 77% of the industry • They are integral to achieving primary regulatory compliance • Other aspects of privacy compliance remain largely untapped, presenting potential market opportunities for startups • The privacy tech industry is booming as evidenced by the robust vendor growth last year • Existing vendors have also built out new privacy technology services in the last year, adding to industry dynamics 43 51 67 98 122 0 20 40 60 80 100 120 140 Q1 2017 Q2 Q3 Q4 Q1 2018 Number of Vendors Website Scanning 4% Incident Response 8%Enterprise Communications 4% Pseudonymity 7% Data Mapping 19% Data Discovery 16% Consent Manager 11% Assessment Manager 16% Activity Monitoring 15%
- 7. Looking Ahead • Reform of the archaic EU 1995 DPP was necessary to improve data protection and privacy • The new regulation is expected to increase privacy for individuals, provide regulators with more power to take action against businesses in breach • Complexity in managing data is driving the need for solutions to address privacy compliance challenges • Existing vendors are primarily focused on producing solutions revolving around assessment managers, activity monitoring, data discovery, data mapping, consent managers • Other aspects of privacy compliance remain largely untapped, presenting potential market opportunities for startups • Whilst most solutions target resolving compliance issues within client datacenters, a small minority have identified the need for data management in the cloud as well as in mobile applications • Privacy technology tools certainly look interesting but companies need to be careful as these external solutions may introduce new enterprise risks About Vertex Ventures Vertex Ventures is a global network of operator-investors who manage portfolios in the U.S., China, Israel, India and Southeast Asia. Vertex teams combine firsthand experience in transformational technologies; on-the-ground knowledge in the world’s major innovation centers; and global context, connections and customers. Yanai Oron General Partner Vertex Ventures Israel yanai@vertexventures.com