GDPR (General Data Protection Regulation): European Union (EU) data-privacy rules (effective 25May2018) providing individuals with more control of their personal data and strict rules on hosts or processors of such data.

*** TROVELOG ***

Companies will need to be more transparent about the management of employee data or risk getting caught on the wrong side of the European Union’s General Data Protection Regulation.

GDPR takes effect May 25 and builds upon existing European data-privacy rules to protect personal identifiable information and to empower the individuals who are the subject of the data. The burden of compliance falls with organizations that hold and process information.
. . .
Under GDPR consent must be given freely and explicitly, with the individual clearly informed of the use of his or her personal data.
. . .
Companies are examining their basis for processing employee data and looking at employee contracts, policies and handbooks to decide on what needs to be changed to make sure data processing remains lawful under GDPR, said Mr. Massey.
. . .
The underlying principle of GDPR is any data processing needs to be lawful, fair and transparent, so companies that need to do some level of employee surveillance will need to be explicit about their actions, said Mr. Bowman.

See article at: Mara Lemos Stein, “GDPR Heralds More Transparency in Managing Employee Data,” The Wall Street Journal, May 17, 2018


See video at: “GDPR: What is it and How Might It Affect You,” The Wall Street Journal, May 16, 2018


[O]n May 25, the European Union will bring into force the most sweeping regulation ever of what can be done with people’s data.

This law, the General Data Protection Regulation, will give citizens greater control over their data while requiring those who process personal data in the European Union or about its citizens to take responsibility for its protection. The G.D.P.R. will give Europeans the right to data portability (allowing people, for example, to take their data from one social network to another) and the right not to be subject to decisions based on automated data processing (prohibiting, for example, the use of an algorithm to reject applicants for jobs or loans). Advocates seem to believe that the new law could replace a corporate-controlled internet with a digital democracy.

There’s just one problem: No one understands the G.D.P.R.

The law is staggeringly complex. After three years of intense lobbying and contentious negotiation, the European Parliament published a draft, which then received some 4,000 amendment proposals, a reflection of the divergent interests at stake. Corporations, governments and academic institutions all process personal data, but they use it for different purposes.

See opinion at: Alison Cool, “Europe’s Data Protection Law Is a Big, Confusing Mess,” The New York Times, May 15, 2018


Sonos Inc., the Santa Barbara, Calif., wireless speaker company, recently sent a notice to users world-wide that wasn’t about another software update. It covered the European Union’s new internet-privacy rule.

The EU’s General Data Protection Regulation, or GDPR, takes effect later this month, and “because we believe all Sonos owners should have the right to these protections, we are implementing these updates globally,” the company said.

Apple Inc., Facebook Inc. and Twitter Inc. also say they have updated their global privacy rules in anticipation of the new law.

GDPR is the latest sign of the EU’s growing power in global regulation. With increasing frequency, EU rules targeting industries within the bloc—from consumer products to financial services—have set international benchmarks. Some are taken piecemeal, as with GDPR, from which non-EU companies are cherry-picking elements. Other rules have become de facto world-wide references.

See article at: Daniel Michaels, “Hot U.S. Import: European Regulations,” The Wall Street Journal, May 7, 2018


. . . . The incomprehensibility of user agreements is poised to change as tech giants such as Uber Technologies Inc. and Facebook Inc. confront pushback for mishandling user information, and the European Union prepares to implement new privacy rules called the General Data Protection Regulation, or GDPR. The measure underscores “the requirement for clear and plain language when explaining consent,” British Information Commissioner Elizabeth Denham wrote on her blog last year.
. . .
GDPR, which comes into force in Europe in May and calls for fines as high as 4 percent of a company’s global revenue for violations, will make it tougher to get away with book-length user agreements, says Eduardo Ustaran, co-director of the cybersecurity practice at law firm Hogan Lovells. He suggests that companies streamline their rules and make sure they’re written in plain English. If a typical user wouldn’t understand the documents, the consent that companies rely on for their business activities would be legally invalid. “Your whole basis for using people’s personal data would disappear,” Ustaran says.

See article at: Nate Lanxon, “The ‘Terms and Conditions Reckoning Is Coming,” Bloomberg BusinessWeek, April 19, 2018


The European Union’s General Data Protection Regulation (GDPR), which has been a decade in the making and takes effect on May 25, applies to any business that handles the personal data of European residents. The rules cover almost anything that can be linked to an individual: addresses, credit card numbers, travel records, religion, web search history, computer ID codes, biometric data, and more. . . . .
. . .
Under GDPR, companies can no longer bury data collection policies deep in legalistic “terms and conditions” that few bother to read. They must certify that their processes minimize impact on individual privacy rights. And they may collect only data needed for immediate purposes rather than simply sucking up information expecting to make money from it later. Larger businesses must keep records of the data they hold, why they have it, how long they’ll keep it, and how they protect it. “It takes a long time to compile all the documentation,” says Klaus Hufnagel, managing director of Verivox, a German comparison shopping site for home energy and insurance. GDPR grants consumers the right to see the personal data an organization holds about them, and they have a “right to erasure,” meaning they can ask that the business delete it, for pretty much any reason. If anything is lost, destroyed, or stolen—whether via a hack, losing a thumb drive on a train, or an engineer accidentally hitting the delete key—businesses have 72 hours to fess up to regulators.

See article at: Jeremy Kahn, Stephanie Bodoni, and Stefan Nicola, “It’ll Cost Billions for Companies to Comply With Europe’s New Data Law,” Bloomberg, March 22, 2018


 See related Trovelog posts: breach fatigue   <>