IAPP CIPM – From Small & Medium Enterprise (SME) to Multinational examples

  1. EU SME – Business details, DPO, insourcing vs outsourcing

Hi guys. Let’s start with the complex examples. The following example will take part in the following four lessons in four different parts, and all the names, whether company names or individual names, are effective just for the sake of this example. So let’s start with the small and medium European-based company called Large Union Ltd., which we will call Lul from now on. We will start with some business details.

So this fictive company, Large Union, Ltd., is a European Union small and medium enterprise. Its headquarters are in Ireland, and it has locations in Lichtenstein and France. The firm is in the business of exporting consumer electronics products made by its French subsidiary to other countries inside and outside of the European Union. Sales and marketing of the products are handled out of the Liechtenstein office, which sells to other companies as a wholesaler and sells directly to consumers through its website. It averages 50,000 online customers worldwide, with 15,000 buying something every year. The firm is planning to soon introduce a new technology that allows for the delivery of its products by drones. They also intend to use facial recognition technology to validate the recipient of a package. But this new technology is still in the design phase.

Let’s take a look at some personal data details. When selling to consumers on its website, Lula asks the buyer to supply their name, address, bank card details, age, and favourite singer in addition to a digital photo. The data is stored on a cloud data server hosted by Easy Store in the United States and mirrored to servers in Canada. Again, the names are fictive. Just for the sake of this example, Lulu adds the data to its customer database, from which marketing promotions are sometimes generated based on prior purchases or product searches.

On its website, the address is used to ship the goods ordered, and the bank card details are used to process payment for the goods. A digital template is created from the photo to use for the planned facial recognition feature. Let’s start by introducing or initiating the DPO role. Is a DPO mandatory or voluntary? In this case, Lul must first determine if a DPO is mandatory or voluntary, as it is not a public authority. A DPO would be mandatory only if there was regular or systematic monitoring on a large scale or the processing of special categories of data on a large scale. These are at least two uses of personal data that may fall within this criteria. The first is that Lul is using data gathered from its customers’ use of its website to generate marketing outreach.

To do so, they must have been systematically monitoring the behaviour of these users while they were on their website. The second is the use of the digital template created from the photos, which may be considered biometric data under the GDPR and therefore a special category of data that is intended to be used on a large scale for package delivery. When analysing these two requirements, Lul believes that both the collecting and processing of website activity information and the use of digital templates to verify its delivery recipients would likely fall within its core activities, as both are part of the systems used to market and deliver their revenue-producing services. But Lul is not sure if their processing is sufficiently large-scale to require them to hire a mandatory DPO. So it looks at the following factors: the number of data subjects involved, the volume of data, the different types of data, the permanence of the processing, and the geographic scope of the processing. With 500 data subjects globally and 15 new online sales a year, this seems like it could be large-scale processing, but it is still not definitively clear.

Eduard determines that it would be best to designate a DPO voluntarily, even if it is not mandatory, to promote customer confidence in its new technologies, and he documents this analysis. Knowing that a voluntary DPO has the same legal obligations as a mandatory DPO, Lol reviews the job skills for a DPO but quickly realizes that it does not have any available personnel with the required skill set, forcing Lol to decide whether to hire an external candidate or outsource the role. The benefit of hiring their own person is that they could learn the business processes of Lul and get to know its data processing in great detail.

The downside is that there is a cost to paying an agency to locate an external resource, assuming they could identify a suitably qualified candidate. But more than that, Lul is not sure how much of a DPO they require, as they are an SME (small and middle enterprise) with limited resources. Using the criteria discussed, they evaluate, qualify, and select David, a well-reputed and experienced privacy lawyer, to handle their GPO function on a part-time basis with the ability to adapt if needed. Outsourcing the role also assures Lul that David is less likely to have conflicts of interest and be able to perform his role in an independent manner. They also gain access to a talented professional who would have been prohibitively expensive to hire full-time, and they can allow his DPO hours to grow if necessary.

With Lum’s sales growth, David explained that, in his experience, much of a DPO’s important work is in the initial compliance assessment and then follow-ups on the remediation plan. So, because a part-time DPO arrangement is appropriate for Lol, the firm notifies the Irish DPA, as well as those in France and Lechtenstein, of David’s appointment as DPO and announces it internally to all staff members. His contact details are added to the external data protection statement and internally to the data protection policy. David is to report to the Board of Directors and provide an annual report of his activities and findings. Being a lawyer, they do not provide him with additional budget for outside counsel but do make one of their internal auditors a part-time member of his DPO team. He is given access rights to all necessary document systems and is added to the schedules of relevant meetings and reviews.

  1. EU SME – Assessing GDPR Compliance step by step

Hi guys. Let’s continue our example with part two. We’ll start by assessing GDPR compliance. David begins his role by interviewing top management, looking for their commitment to both data protection for the firm as a whole and to his role in assessing their compliance with the GDPR. He reviews the available documentation and follows up with data and process owners and specialists. He will use the data protection policy, data and processing, inventory, and related supporting policies and procedures when he cannot find the answers, leaving them with the tasks of updating the documentation with newly discovered information.

At this time, he is not overly concerned about doing a formal audit or insisting upon evidence to support each policy or procedure as a formal audit would. Instead, the initial assumption is that the policy, procedure, or technology works by design. You will first evaluate how Lulu meets its obligations under the seven data privacy principles. Turning first to the data and processing inventory, it should be stated that the personal data collected directly from customers is name, address, bank card details, age, favorite artist, and digital photo. Personal data not collected directly includes their website browsing activity, perhaps their IP address or device identifier, and the digital template of their photo. All directly collected data should be collected and stored, according to the processing activities. The other personal data was taken from examining their browsing activity, perhaps by using a cookie, an IP address, a device identifier, or all of them.

The digital template was created by digitising the analogue photo provided by the customer. The sales process uses at least the name and bank card details, and the delivery process uses the name and address. Soon, digital template marketing will use the online history for digital and other advertising. Other process activities, such as system backups, are assumed to take place regularly. On this list, the seven data privacy principles can be applied to each of the processing operations to understand how compliant the controller is. These data privacy principles should also be stated in the publicly available data privacy statement. Just considering the first processing operation and collection would generate these inquiries. One, was the processing lawful, fair, and transparent? To check this, David must first assert the legal basis for the collection’s processing. It would be expected that it was based either on consent or the processing of a contract, but Lul should have documented if it was based on consent. What procedures did Lul have to follow to know that the consent was unambiguous, specific, informed, and freely given? Was there an online process that demonstrated the customer’s unambiguous agreement to the collection of their personal data? Was the consent explicit for the biometric data? Was a record kept of the consent received? How did Lol inform its customers sufficiently to gain consent?

How does Lol know that the consent was freely given if the collection processing is based upon the performance of a contract? Is all the personal data collected necessary for the performance of the contract for fairness and transparency, where the data subjects provided all the information required in Articles 13 and 14 for the data that was collected directly and indirectly from them? These are questions that David must ask and find the answer to. Privacy principle Two was a collection for a specified, explicit, and legitimate purpose. Did Lul document an internal assessment? That’s what it did. For the specified purpose of the collection? Did Lul perform a compatibility assessment for any further processing it contemplated after the collection? Remember that further processing and processing for a different purpose are not the same thing. Is it clear and unambiguous what the purpose of the processing is? Is the processing compliant with all relevant laws? What are all the laws that collection processing must be compliant with?

Was it stated that the purpose of the collection was to market to customers and website visitors? In regards to Principle 3, is data minimized through processing alone? What is sufficient, relevant, and required for the purposes for which it was gathered? Is each type of personal data relevant and necessary? For example, age or favourite singer? If it is not necessary for ordering, payment, and delivery of electronic goods, why was it collected then? Is there another purpose? And was that purpose disclosed to the customer? If the data is found not to be necessary, is it immediately deleted? The fourth privacy principle is accurate and up-to-date personal data. What procedures does Lul have in place to ensure data accuracy? input controls and software application integrity controls to check data types. For example, what controls does NUA have to keep data up-to-date? For example, verifying the information provided by the customer, a process by which they can update the information stored about them, et cetera. How do data subject requests for rectification get handled? Principle number five is that personal data should be kept no longer than necessary.

Is there a data retention policy and period for each type of personal data collected? What triggers the deletion of data from a system? What procedures are there for sweeping the system to determine if any data is retained beyond its retention period? Principle number six: Is security appropriate to prevent unauthorised loss or disclosure? Personal data are the focus of their information security assessments, which will be examined in greater depth in the second scenario. Seventh principle: Can the controller demonstrate compliance with Principles 1 through 6? Is there documented evidence for every type of personal data process and every type of processing activity undertaken that Lul has complied with the GDPR principle? These are all a lot of questions that David needs to find answers to by discussing with different people, with the line of businesses, and by analyzing how Luild is feeling or is actually doing in terms of GDPR compliance.

  1. EU SME – Compliance, Technical Assessment and Privacy by Design

Hi guys. Here we are at Part 3 of our example with Lum regarding compliance with other obligations. Beyond complying with data privacy principles, companies must have processes to respond to the exercise of data subject rights. These rights should be stated in the public data privacy statement, including the availability of these rights, how they are exercised by data subjects, and how they are responded to by the firm. David must check how requests are communicated and handled for access to data. Subject’s personal data under Article 15; rectifying or erasing their personal data under Articles 16 and 17; restricting objections to or not being subject to certain automated processing of their personal data under Articles 1821 and 22; and porting of their personal data under Article 20; as well as how complaints are handled. There must be appropriate procedures for identifying a data subject. Before honoring these requests, controllers must have kept a record of their data processing activities. David must check when these records are created and updated regarding processing activities and what information is being recorded per the Article 30 requirements. David must also assert what other data protection requirements beyond the GDPR Lulis is required to comply with and discover when and how that compliance is happening.

At a minimum, the storage of cookies on their customers’ computers would imply IP Privacy Directive obligations. Use of the customer’s details to reach out to them with direct marketing communications would fall under the IPR Directive, so hoodies are sent to new or existing customers, and the format of the messages should also be verified. Lul would also be subject to at least employment and consumer protection laws in Ireland, France, and Liechtenstein that may have data protection implications, plus possibly data protection laws. With extraterritorial applications for protection of its non-EU citizens and technical assessments and data privacy impact assessments, LDL is planning to introduce drones to provide delivery services for its products ordered by customers. These drones would use video cameras to be directed by an operator to the address of their scheduled delivery.

The use of video recording in public areas can have significant data protection implications because this is a new technology involving personal data processed in a new and potentially invasive manner. David advises that, per Article 35, a data protection impact assessment should be undertaken before this new service commences. Evaluating the different types of methodologies David advises using the Data Privacy Impact Assessment methodology from CNIL, as he believes that it is the most comprehensive. As Lol performs the data protection impact assessment, David monitors its progress and findings. He advises Lol that it must focus on minimising the impact of the invasive use of the video taken by the drone by having the drone travel up on public roads so that the camera is viewing only the road and related street signs and is at no time looking into private residences, schools, hospitals, and similar institutions. David advises that the video is not recorded by Lum despite Lo’s request, believing that it would need to be recorded for legal liability purposes. The operator of the drone is advised to be adequately trained in data protection principles, and the screen of the operator should not be viewable by anyone else.

David also advises that acknowledgment of delivery is done outside the delivery process via email, such that the drone itself is not carrying any personal data. if his recommendations are carried out. David believes that these measures will adequately address the risk without putting data subjects at risk. But he believes it is best to reach out and notify the Irish DPC as a matter of good practice, as well as DPAs in all European Union countries where such drone deliveries will take place. Privacy by Design Lul is also planning to use a facial recognition capability during deliveries to match the face of the product buyer with the person who receives delivery, but is still in the design stage of this technology. David must advise Lum on the data protection opportunities to instal privacy into this technology. At this early phase, David meets with the designers of this technology and explains the seven foundational principles of Privacy by Design and the eight design strategies from the Anisa European Agency for Network and Information Security. They decide that they should minimise the data, not retain it, provide notice, and use encryption to further safeguard the personal data, and set this as the default to minimise the data. They analyse the programme used in this new technology to create a digital template from a live image of the data subject and determine that they can use useless data points to extract the needed facial features to match the digital template they created from the uploaded photo of the data subject. Second, a decision is made to never store the image of the data subject taken by new technology when delivery is made and to delete this new digital template after it is confirmed against the existing digital template.

Third, all images and digital templates are encrypted with the new technology, and the keys are securely managed. Fourth, data subjects are notified of this use of facial recognition software when the product is being ordered and when the delivery is scheduled, with the option to not participate in this manner. Fifth, data subjects are offered the option to have their digital photos uploaded during the order process deleted. Upon successful creation of the digital template and sixth cloudonimization of the link between the digital template and the name of the customer, this process will be employed as much as possible. David determines he is satisfied that these privacy-by-design actions will decrease the risks to data subjects from the disclosure of their personal data, including sensitive data, in the implementation of this new technology. As the technology gets closer to implementation, he will perform a data privacy impact assessment, and again, as good practice, he will seek to verify his assessment with the relevant authorities.

  1. EU SME – Data Transfers

Hi guys. Here we are at the last part of this first example. We’ll speak about data transfers and processor agreements. Personal information is transferred outside of the European Economic Space and stored on servers in the United States and Canada. David must assert the safeguards that are in place for these transfers. The first is the control processor agreement between Lul and cloud storage. Easy store. Does the agreement conform to the requirements of the GDPR under Article 28? Devint must assert that the agreement has sufficient warranties to protect the rights of its European Union data subjects. The processor in this case is simply storing the data and performing no other processing other than mirroring it to its Canada server.

So the agreement should be clear that those are its only processing activities and that they will be undertaken without express instructions from Lul. The agreement should clearly articulate its commitment to data protection and privacy principles for European Union personal data, including a publicly available privacy policy, and its employees and contractors should be bound by confidentiality agreements. It should note its commitment to Infosec, have a link to its Infosec and data privacy policies, and explain the Infosec Standard certifications it has achieved. What happens to stored data upon termination of services should be clearly spelled out in the agreement, including secure deletion of data in both countries where the data is stored. Notifications upon events such as security incidents, data breaches, bankruptcy, and the sale of the company should also be described. Liability for any impacts on data subjects and any limits should also be expressly stated, as should the right to audit or use its audited reports. David must not only read through the controller-processor agreement for details, but also any reference data privacy and infosec policy statements for potential issues with the agreement. David can then review the data transfer mechanisms.

As Ireland, France, and Liechtenstein are all within the European Economic Area, there is no need to deal with the transfer mechanisms between those countries. However, transferring data to the US and then onward to Canada requires David to understand the requirements of the Privacy Shield for the US. transfers and the adequacy decision for the Canada transfers. For Easy Store to be self-certified under the Privacy Shield, it must have committed to the Privacy Principles, which are legal obligations upon their joining the program. This also ensures accountability for your residents’ onward transfer and resource mechanisms, including the use of their local DPAs. Lum’s membership can easily be verified by checking the US Department of Commerce list of companies under the privacy shield. David should also review Easy Store’s privacy policy, which is required as part of the Privacy Shield program. David would look at the European Commission’s adequacy decision for Canada and see that it only applies to commercial transfers of data, which should cover LUL’s commercial transfer of this data. Adequacy decisions do not require specific authorization from DPAs, allowing for the ongoing transfer of this personal data outside the European Economic Area.

While the European Commission has determined that this country’s data protection regimes are adequate as described, this personal data is now being processed under different privacy laws. As such, David should review the relevant privacy laws in the US. and Canada to assess any potential impacts on the data subjects’ rights and freedoms in the European Union. With these activities, David has now performed an initial high-level assessment of LUL’s compliance with the GDPR, including data protection impact assessments and privacy by design for new technologies, and can make a report that establishes a baseline level of compliance. He should have discussed and set in motion recommendations in every area where he found the compliance gap and set the stage for his future audits, where evidence will need to be produced to demonstrate compliance with GDPR and all relevant statutes and policies. David must stay involved in all data privacy issues inside the organisation and watch for changes to relevant legislation, standards, and rivacy issues inside Here we are at the end of our first example. In the following lesson, we will start with another example, the multinational US companies, an example that will be part of the next five lessons.