Tag Archive for: GDPR

Blockchain versus GDPR and who should adjust most

| 18-10-2018 | Carlo de Meijer | treasuryXL

It has now been more than four months since the European Union General Data Protection Regulation (hereafter GDPR) came into effect. This regulation aims to strengthen privacy and personal data protection in the EU, by giving private persons more control over their personal data. But it also offer a uniform set of regulations for businesses with customers in the EU region, with the risk of hefty fines in case of non-compliance.

This event however has caused a lot of concerns in the blockchain industry. At first glance some GDPR provisions seem in direct conflict with the fundamentals of blockchain technology, and may even be intrinsically incompatible with what the new European privacy rules seek to uphold. For blockchain the most controversial GDPR mandate is the “Right to be Forgotten”, giving individuals the right to request that their personal data be removed from a record. Because of its decentralised character with immutable blockchains, data however cannot be deleted. Blockchains are designed to last forever. That puts blockchain in direct opposition to the GDPR.

Main question is: Are there ways to be found so that GDPR and blockchain may co-exist? Can blockchain work properly in tandem with the new GDPR regulations without harming its fundamentals? And how should regulators react?

EU General Data protection Regulation (GDPR): what does it mandate?

The General Data Protection Regulation (GDPR) is a far-reaching privacy legislation that is designed to enhance the protection of personal data and give individuals in the EU greater control over their own data. The GDPR is requiring not only transparency into what companies will do with consumer data, but also mandating clear consent mechanisms to ensure that consumers understand what companies are sharing, with whom, and for what purpose. GDPR thereby regulates the collection, processing, transfer and retention of every EU citizen’s personal data, requiring companies to provide visibility and control to individuals, on demand. Non-compliance with GDPR can result in heavy fines.

GDPR however has a number of key provisions that could heavily impact blockchain.

Read the full article of our expert Carlo de Meijer on LinkedIn

 

Carlo de Meijer

Economist and researcher

 

GDPR: From compliance headache to business opportunity

|24-07-2018 | Reuters | treasuryXL |

The Information Commissioner’s Office has described the new GDPR laws as “the biggest change to data protection law for a generation”. Businesses will face a maximum fine of up to £17 million or 4% of global turnover, if they breach the EU rules. These are critical, but turbulent times for businesses across Europe. However, if organisations of all sizes play their cards right, GDPR can be transformed from a compliance nightmare, into a business advantage.

Competitive advantage

“General Data Protection Regulation is generally seen in a fairly negative light, particularly by organisations. But I think there is a huge opportunity to differentiate services based on trust. The consumer gains from interaction with any institution,” according to Managing Director and Data Protection Officer at Barclays, Jon Rees. He adds: “Our recent research has shown that the number one concern – across many different demographics and usages – is security of customer information, and how it’s being used. There’s a competitive advantage to be had by applying GDPR in a positive way.”

Consistency by design

As a ‘complex corporate’ itself, Barclays has seen another major benefit of GDPR, and that’s the obligatory enforcement of good practice and consistency by design across organisations, in terms of the harmonising of data systems. While it’s still early days, transparency is fast-becoming the buzzword of GDPR’s inaugural year.

Consumer confusion

There are, predictably, some areas of confusion that are emerging, especially for consumers – in part accelerated by miscommunication. People are confused about what their individual rights are when it comes to personal data and consent, and right to deletion. Some are interpreting consent as: ‘unless I’ve given a firm my approval, it has no right to use my data’. While this is not correct, the lack of understanding is unsurprising, given the complexities of GDPR and it being in its infancy. However, this is where businesses can once again shine. Those that are helpful, and offer clear communication with their consumers on GDPR, will come out on top as trustworthy brands that always put the customer first. A more consumer-centric approach is, after all, at the heart of GDPR.

Visit the website of Reuters to read the full article.

 

[button url=”https://www.treasuryxl.com/contact/” text=”Contact us” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

GDPR and its effects on the bottom line

| 15-02-2018 | treasuryXL |

On the 25th May 2018, GDPR – regulation by the European union – will come into effect. It requires any company that does business within the EU to protect the privacy relating to the data held on consumers, as well as restricting the types of data that can be collected. Obviously, this will mean extra expense for companies as they have to invest in systems and procedures to meet their obligations. However, a recent report by Deutsche Bank has shown that the implications of implementing GDPR could also have an impact on revenue.

At present, large companies like Facebook and Google collate data about their users. Mainly, this data is used to present advertising to the individual based on the analysis of the data showing where they have clicked onto etc. The scope of GDPR is very large and such large companies would not be able to deny access to their users if they decide to opt out of data use.

GDPR defines a principle of purpose limitation, This states that personal data must only be collected for specified, explicit and legitimate purposes and not furthered processed in a manner that is incompatible with those purposes. This could impact on the revenue stream of such companies.

Google receives approximately 33% of their revenue from Europe. Deutsche bank concluded that if 30% of European users opted out of data sharing, this could affect revenue by 2%. Google and Facebook receive around 75% of all online advertisement spending.

At the same time, research suggests that a quarter of a billion users of news site readers have already installed ad-blockers.

The effects on revenue for websites that actively use data supplied by the actions of their users is difficult to quantify, but it will have an impact. Companies will have to look closely at their projected revenue from online advertising and ask if the figures are too optimistic in the light of this legislation.

If you want more information please feel free to contact us via email [email protected]

 

GDPR and its effect on your business

| 24-10-2017 | treasuryXL |

As if the finance industry is not already facing enough challenges swimming though the sea of regulatory acronyms – BASEL iii, EMIR, MIFID ii, SOX, KYC etc. – a new directive is due to come into force on the 25th May 2018, namely GDPR.

GDPR (General Data Protection Regulation) is an EU directive concerning personal data of EU residents that is held by companies. It is intended to give EU residents more control over their personal data by dictating how that data is held by companies. Any data that could be used to determine the identity of an individual must comply with GDPR. Furthermore the definition of personal data has been expanded from the usual name and address information to including such things as IP addresses, cookie data, photographs, minutes from a meeting where people are named etc.

The law states that any company that stores or processes personal data about EU citizens within EU states must comply with GDPR. Main criteria for compliance include:

  • A presence in any EU country
  • No presence in the EU, but processes personal data of EU residents
  • More than 250 employees

At first glance most small businesses would be exempt but, there is a provision in Article 30 that shows this is not completely true. The following explanation has been externally sourced:

The only time the articles allow concessions for organisations with fewer than 250 employees is in Article 30 – Records of processing activities. Most organisations will have to maintain a record of processing activities that contains the name and contact details of the controller, the reason for the processing, a description of the type of personal data or category being processed, how long the data will be kept before it will be deleted, and some other requirements.

 Point 5 of Article 30 states that the requirements will not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories. Therefore, a company that processes data on a regular basis or processes special category content such as racial, political or genetic (and others listed in Article 9) material, even if quite small, will not be excluded from this requirement.

Source: https://www.fsb.org.uk/first-voice/act-now-to-comply-with-new-gdpr-rules

Even sole traders hold data, not just of other companies (trading partners) but also of individuals. As a sole trader it is possible to think that the law does not apply to them, but a more prudent approach would be to review all data held. Data can be held in a myriad of locations:

  • Hard drives
  • USB sticks
  • Dropbox
  • Cloud
  • Evernote
  • Whats App

Having discovered all the data the you hold on others, it is then necessary to design a method to protect that data. Just applying a password protection to your computer is not enough – additional security can be provided by encrypting data.

The rights of the individual are clearly defined by GDPR – these include:

  • The right to be informed
  • The right to restrict processing
  • The right to refuse to become a data subject
  • The right to be forgotten
  • Data portability

The penalties for companies failing to comply with GDPR and failure to disclose data breaches include fines equivalent to 4% of global annual turnover for the preceding financial year or EUR 20 million, whichever is the greater.

What can you do to prepare for GDPR?            

All companies that handle client data have a duty to protect that data. That means you need to locate, identify, control and delete data if so requested by the individual. Furthermore, individuals have the right to know how and why companies are using their personal data and if that data is shared with any third parties.

This means starting with a thorough examination to find and identify all third party data that you hold and why. This data then needs to be examined and protected. Data should be held at 1 primary source – ensure data is not duplicated. Clients need to be informed of the data you hold on them.

Whilst this is a considerable challenge, there is a potential advantage to be gained by clients knowing that you are complying which could lead to a rise in the trust they have in you and your organization.

Remember – you only have about 150 working days left to implement!!