Snap Inc. announces GDPR compliance, adherence to privacy by design principles

Wednesday, 16 May, 2018

Google is also adding more services and contextual data controls to the Download Your Data tool so you always have the option to export your data.

Just 10 percent of companies will be in compliance before the GDPR's effective date, 40 percent will be compliant after, and 8 percent don't know when they will achieve compliance, the study found.

In effect, what GDPR is meant to do is to shift the control of data from the aggregators of that data to the subjects of that data, and the leverage that it holds is the fact that companies can not do business in Europe (even if located elsewhere) without following consistent GDPR requirements.

Given the prevalence of European tourists and expatriates on the island and the worldwide nature of many Cayman businesses, the European regulation is likely to impact most Cayman-based organizations.

The categories of health data protected under the GDPR rule include genetic data, biometric data, and data concerning health.

The first thing that this does is to effectively establish a provenance trail - if you do not have permission to use data, you will not have access to the relevant keys, and as such you become legally liable to lawsuits brought if you abuse that data.

Financial Services - Financial organizations often maintain huge stockpiles of PII data on account holders. Personal data can not be used without consent, not just for the initial acquisition of content, but for every subsequent use of that content. What is their understanding of the new regulations?

GDPR expressly avoids such a lazy categorisation of what healthcare providers do, and says: "The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients...by an individual physician [or] other health care professional".

A data controller means the person or organization that decides how and why data should be used.

Have you provided consent for a specified retention period? Companies will need to put in place practices that demonstrate that their processing activities are compliant. GDPR compliance may therefore require new privacy and security procedures for a broad array of business operations, including but not limited to: (i) data collection, use and disclosure; (ii) data retention and deletion; (iii) responses to requests for information about Personal Data by data subjects; (iv) employment policies; (v) communications with current and potential customers; and (vi) marketing procedures.

Snap has also recently rewritten the terms in its Privacy Centre to make it easier for users to read and understand the terms of the app.

An individual also has several other important privacy rights.

It is unlikely, given the current shift away from regulatory control within the United States, that there will be similar legislation in that country soon, but especially as most data-centric companies are transnational in scope, this will likely only slow the adoption of a stronger data privacy regime in America, not stop it.

Companies globally, including Uber Technologies Inc., Yahoo, and Equifax Inc., have increasingly been hit with data breaches in the past few years. A company must notify data subjects if the breach is likely to result in a risk to their rights under Article 34.

Chinese internet titans are now testing a system that assigns every citizen a social credit system that goes beyond a regular credit rating of a person's finances and payment history by evaluating their behavior and preferences as well as their personal relationships.

Are there any changes to what's included as personal data since GDPR?

They also have the right to know who is processing their information and for what objective as well as to have information deleted.

Subject to certain conditions, you are entitled to have your personal data erased (also known as the "right to be forgotten"). There is no need to analyze every single packet and look into the data portion of the packet (where all the sensitive information and, potentially, PII is being stored). The FTC has an active history of enforcing the previous European Union data protection law under USA consumer protection rules and there is no reason to anticipate any change in that trend.