Six predictions now the GDPR is in place

Posted by John Kleeman
So the European GDPR is in place now. Questionmark like most other companies has been working hard in the last two years to ensure we are compliant and that our customers in and outside Europe can be compliant with the GDPR. See our trust center or summary for information on Questionmark’s compliance.

Is it all done and dusted? My email inbox seems to have a few less promotional emails in it. But is this because of the holiday weekend or have companies really taken my name off their mailing lists? Here are six predictions for what we’ll see going forwards with the GDPR.

1. The May 25th 2018 date will matter much less going forwards than backwards

A picture of a dog with a Christmas hatCompanies have been rushing to meet the May 25th date, but GDPR and privacy is a destination not a journey. There is a famous slogan “a dog is for life not just for Christmas” encouraging people to look after their dog and not just buy it as a cute puppy. Similarly the GDPR is not just something you get compliant with and then ignore. You need to include privacy and compliance in your processes forever.

No one will care much whether you were compliant on May 25th 2018. But everyone will care whether you are meeting their privacy needs and following the law when they interact with you.

2. History will judge the GDPR as a watershed moment where privacy became more real

Nevertheless I do think that history will judge the GDPR as being a seminal moment for privacy. Back in the early 2000s, Microsoft popularized the concept of security by design and security by default when they delayed all their products for a year as they improved their security. Nowadays almost everyone builds security into their systems and makes it the default because you have to to survive.

Similarly the GDPR encourages us to think of privacy when we design products and to make privacy the default not an afterthought. For example, when we collect data, we should plan how long to keep it and how to erase it later. I suspect in ten years time, privacy by design will be as commonplace as security by design – and the GDPR will be the key reason it became popular.

3. Many other jurisdictions will adopt GDPR like laws

Although the GDPR is over-complex, it has some great concepts in it, that I’m sure other countries will adopt. It is appropriate that organizations have to take care about processing peoples’ data. It is appropriate that when you pass people’s data onto a third party, there should be safeguards. And if you breach that data, it is appropriate that you should have to be held accountable.

We can expect lawmakers in other countries to make GDPR-like laws.

4. Supply chain management will become more important

Diagram showing one data controller with two data processors. One data processor has two sub-processors and one data processor has one sub-processorUnder the GDPR, a Data Controller contracts with Data Processors and those Data Processors must disclose their Sub-processors (sub-contractors). There is positive encouragement to choose expert Data Processors and Sub-processors and there are consequences if processors fail their customers. This will encourage organizations to choose reputable suppliers and to review processors down the chain to make sure that everyone is following the rules. Choosing suppliers and Sub-processors that get themselves audited for security, e.g. under ISO 27001, is going to become more commonplace.

This will mean that some suppliers who do not have good enough processes in place for security, privacy and reliability will struggle to survive.

5. People will be the biggest cause of compliance failures

Organizations set up processes and procedures and put in place systems and technology to run their operations, but people are needed to design and run those processes and technology. Some GDPR compliance failures are going to be down to technology failures, but I predict the majority will be down to people. People will make mistakes or judgement errors and cause privacy and GDPR breaches.

If you are interested in this subject, Amanda Maguire of SAP and I gave a webinar last week entitled “GDPR is almost here – are your people ready?” which should shortly be available to view on the SAP website. The message we shared is that if you want to stay compliant with the GDPR, you need to check your people know what to do with personal data. Testing them regularly is a good way of checking their knowledge and understanding.

6. The GDPR and privacy concerns will encourage more accurate assessments

Last but not least, I think that the GDPR will encourage people to expect more accurate and trustworthy tests and exams. The GDPR requires that we pay attention to the accuracy of personal data; “every reasonable step must be taken to ensure that personal data that are inaccurate … are erased or rectified without delay”.

There is a strong argument this means that if someone creates a test or exam to measure competence, that the assessment should be accurate in what it claims to measure. So it needs to be authored using appropriate procedures to make it valid, reliable and trustworthy. If someone takes an assessment which is invalid or unfair, and fails it, they might reasonably argue that the results are not an accurate indication of their competence and so that personal data is inaccurate and needs correcting.

For some help on how you can make more accurate assessments, check out Questionmark white papers at www.questionmark.com/learningresources including “Assessment Results You Can Trust”.

 

 

U.S. Privacy Shield: Data protection and security

Jamie ArmstrongPosted by Jamie Armstrong

Earlier this year I wrote blog post that summarized some important recent data protection and privacy law developments. Today, I wanted to follow up on that posting by looking particularly at the EU-U.S. Privacy Shield (“Privacy Shield”).

The Privacy Shield came into being to fill the void left by the invalidation of the European Commission decision underpinning the US-EU Safe Harbor Agreement (“Safe Harbor”). From August this year, US organizations have been able to certify compliance to the Privacy Shield – the list of those certified organizations can be viewed here. Questionmark Corporation has certified to the Privacy Shield, and you can view our updated privacy policy here. As was the case for Questionmark’s self-certification to Safe Harbor, our compliance with the Privacy Shield principles is just part of Questionmark’s broader strategy to ensure that relevant international data transfers conform to applicable legal requirements.privcy-shield

The Privacy Shield, as well as other mechanisms such as the EU Model Clauses, provides a way for organizations to comply with EU data protection requirements when personal data is transferred to the US from the EU. Remember that whereas the EU Model Clauses may be relied on for transfers of EU personal data to third countries (i.e. those that are not part of the EEA), the scope of the Privacy Shield is limited to personal data transfers to the US.

The European Commission has produced a helpful guide on the Privacy Shield, aimed at EU citizens, with some key improvements as compared with Safe Harbor being:

  • Greater oversight and monitoring by authorities in the US and EU to ensure compliance, for example by the US Department of Commerce, Department of Transport and Federal Trade Commission;
  • A greater number of ways for individuals to make complaints to enforce their rights without cost, including to an Ombudsman within the US Department of State, via an EU Data Protection Authority, an independent recourse mechanism, and binding arbitration;
  • Additional obligations for participant organizations, like ensuring any third-party transferees provide the same level of protection for personal data as is required by the Privacy Shield.

Although the Privacy Shield includes a number of additional protections for individuals and obligations on organizations, some interest groups remain unconvinced that it is meaningfully different to Safe Harbor and legal challenges in the EU have already been made. With this in mind, organizations that have certified to or may certify to the Privacy Shield will have to monitor EU developments and continue to review their data protection and privacy approaches, so that they are satisfied that there are a sufficient number of means available to them to show adequate protection for EU personal data being transferred to the US. Questionmark’s Privacy Shield certification demonstrates to customers our particular commitment to data protection and security in respect of applicable data.

Check back here for future blog posts on data protection and privacy law issues early next year.

Disclaimer: This blog is provided for general information purposes only and does not constitute legal advice. Any views included are personal to me.

Data Protection and Privacy: Important developments

Jamie ArmstrongPosted by Jamie Armstrong

As Associate Legal Counsel at Questionmark, I spend a lot of time thinking about data protection and privacy law issues. There have been many important developments over recent months, and I thought it would be interesting for our readers if I summarized just three of these below. I may look at others and/or consider those mentioned here in more detail in a future blog post. With a dedicated in-house technical and legal team, Questionmark is continuously monitoring changes in this field and my role helps to ensure that Questionmark is ahead of the curve in protecting our customers.

1. For around fifteen years, organizations transferring personal data from the European Union to the United States were able to rely on the US-EU Safe Harbor Agreement as a legal basis for such transfers. The Safe Harbor Agreement allowed organizations to self-certify compliance with certain data protection standards. In October 2015, the Court of Justice of the EU invalidated the EU decision that underpinned this arrangement. This meant that organizations transferring relevant data had to review their arrangements to ensure such transfers remained legal by different means, such as the EU Standard Contractual Clauses or Binding Corporate Rules – Safe Harbor can no longer be relied on for transfers of EU personal data to the US.

2. The final text of the new General Data Protection Regulation (“GDPR”) was agreed in April this year, and the GDPR will have legal effect from May 2018. From that date, the GDPR will replace the current Data Protection Directive and will apply in all EU member states without any implementing national law required. This should help multinational organizations with compliance, as there will be more uniformity than there is now. The GDPR includes some new obligations, like requiring appointment of a data protection officer in certain cases, hence the two year lead in period to allow organizations time to prepare. The GDPR is relevant for organizations based outside the EU as it has broader effect when EU personal data processing is involved.

3. After Safe Harbor was invalidated, the US and EU authorities worked together on a replacement, known as the Privacy Shield. The initial agreed text received a cool response in Europe and was subsequently revised to address concerns, including around possible continued surveillance in the US and insufficiency of the Ombudsman role created to consider complaints. It is expected that the mechanics of the Privacy Shield will operate similarly to Safe Harbor (but with stricter requirements), with voluntarily compliance certification to the US Department of Commerce possible from August 1 of this year. Unlike the EU Standard Contractual Clauses and Binding Corporate Rules, the Privacy Shield, as with Safe Harbor, will only apply to transfers of data from the EU to the US. The collective of EU data protection authorities have recently said they will not legally challenge the Privacy Shield for at least a year, to provide an opportunity to gauge how this operates in practice.

With the above representing a very simplified summary of just three important recent developments in the data protection and privacy law field, organizations that control and process personal data clearly need to maintain a heightened level of vigilance to be positioned to respond to the shifting landscape. Check back here for updates on these and other relevant developments in future blog posts.

Disclaimer: This blog post is provided for general information purposes only and does not constitute legal advice. Any views included are personal to me.

For more on Questionmark’s commitment to security, check out the video below:

Is Safe Harbor still safe for assessment data?

John Kleeman HeadshotPosted by John Kleeman

A European legal authority last week advised that the Safe Harbor framework which allows European organizations to send personal data to the US  should no longer be legal. I’d like to explain what this means and discuss the potential consequences to those delivering assessments and training in Europe.

What European data protection law says about transfers outside Europe

According to European data protection law, personal data such as assessment results or course completion data can only leave Europe if an adequate level of protection is guaranteed. All organizations with European participants must ensure that they follow strict rules if they allow personal data to be transferred outside Europe. Data controllers can be fined if they don’t comply.

Data controller has data processors which have sub processorsA few countries, including Canada, are considered to have an adequate level of protection. But in order to send information to the United States and most other countries outside Europe, it’s necessary to ensure that each data processor who has access to the data  guarantees its protection. This includes every processor and sub-processor with access to the data including data centers, backup storage vendors and any organization that accesses the data for support or troubleshooting purposes. Even if data is hosted in Europe, the rules must still be followed if there is any access to it or any copy of it in the US.

There are two main ways in which US organizations can bind themselves to follow data protection rules and so be legitimate processors of European data: the EU Model Clauses or Safe Harbor.

EU Model Clauses

EU FlagThe EU Model Clauses are a standard set of contractual clauses, several pages long, which a data processor can sign with each data controller. Signing signifies a commitment to following EU data protection law when processing data. These clauses cannot be changed or negotiated in any way. Questionmark uses these EU model clauses with all our sub-processors for Questionmark OnDemand data to ensure that our customers will be compliant with EU data protection law.

Safe Harbor

An alternative to the EU model clauses in the US is Safe Harbor. Safe safe harborHarbor (formal name – the US-EU Safe Harbor Framework) is run by the US Department of Commerce and allows US companies to certify that they will follow EU rules for EU data without needing to sign the EU model clauses. You can certify once, and then it applies to all your customers. It’s very widely used, and most large US organizations in assessment and learning are Safe Harbor certified, including Questionmark’s US company, Questionmark Corporation. You can see a full list at http://safeharbor.export.gov/list.aspx.

There is some concern, particularly in Germany, that Safe Harbor is not well enough enforced, so some organizations like Questionmark also use the EU Model Clauses. For example, Microsoft offer these for their cloud products. But Safe Harbor is widely used to ensure the legality and safety of European data sent to the US.

The legal threat to Safe Harbor

Last week, the advocate general of the Court of Justice of the European Union made a ruling that the Safe Harbor scheme should no longer be legal. He argues that the widespread government surveillance by the US is incompatible with the privacy rights set out in the EU Data Protection directive, so the whole of Safe Harbor should be invalidated. His ruling is not yet binding, but rulings by advocate generals are often confirmed and made binding by the court, so there is a genuine threat that Safe Harbor could be suspended.

Negotiations on data protection are underway between the US and Europe, and it is likely that this will be resolved in some way. But there are significant differences in attitude on data protection between Europe and the US.  Much anger remains about Edward Snowden’s revelations about US surveillance, so the situation is hard to predict.

What can organizations do to protect themselves?

It’s likely that a deal will be found and that Safe Harbor will remain safe. And if it is ruled illegal, this is going to affect the whole technology sector, not just learning and assessment. But it’s a further argument to use a European vendor for assessment and learning needs and/or one who is familiar with and has their suppliers signed up to the EU Model Clauses.

For more information and background on data protection, see Questionmark’s white paper:  Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities. John Kleeman will also be presenting at the Questionmark Conference 2016: Shaping the Future of Assessment in Miami, April 12-15. Click here to register and learn more about this important learning event.

Where do you deliver assessments from in a post-PRISM world?

John Kleeman HeadshotPosted by John Kleeman

Like many of you, I have been watching with interest revelations about government Internet surveillance initiatives. Technologically and legally, none of it is surprising. Businesses and governmental organizations around the world have frequently expressed concerns about the data privacy implications of the US Patriot Act.  Indeed, many of our customers cite data protection issues as factors in their decisions to opt for the Questionmark OnDemand service based at our European data centre.

Practically, I am torn between admiring our governments defending us against terrorism and pondering Benjamin Franklin’s saying that if you give up liberty for security, you lose liberty.

Wherever you stand on this issue, there are still questions to address about the practical implications this data protection challenge poses for those delivering assessments.  I thought it might be helpful to look at a couple of different scenarios and suggest data protection requirements you might look for when running assessments over the Internet.

Scenario 1. A US company looking for a safe place to deliver assessments from the Cloud

US flagSuppose you are a US company seeking to test your employees via a SaaS vendor. Suppose most employees are in North America but a few are spread round the globe. Here are the likely key data protection requirements:

1. Contract with a US service provider with confidentiality clauses.

2. Data centre and assessment results located in the US.

3. Data centre certified and audited to SSAE 16, the expected standard for quality data centres in North America.

4. Service provider and data centre operator certified under the U.S. Department of Commerce’s Safe Harbor Framework. This means they promise to comply with European data protection rules for data coming from Europe. Without this, you will have HR challenges testing your employees in Europe. With a lot of testing in Europe, you may want to look for stronger measures than Safe Harbor – see the White Paper (complimentary with registration): Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities.

5. Vendors must have strong IT security including the latest SSL/TLS encryption and other technical measures.

Scenario 2. A European organization who wants to run assessments and keep data in Europe

European Union flagMany European companies or universities have a legal need to follow European data protection law and keep their data in Europe, and some may have constitutional requirements to avoid US oversight. Here are some of the key things they would look for:

1. Contract with a European service provider with confidentiality and data protection clauses.

2. Data centre with assessment results and personal data located inside the European Union.

3. Data centre certified and audited under ISO 27001, the expected standard for quality data centres in Europe.

4. This alone is only part of the story. The service provider and the data centre operator must not just be located in Europe, they must be European owned and not a subsidiary of a US company. If a US company runs a data centre or service in Europe, even if they run a subsidiary in Europe, they are required to hand over data on request to the US government, even if that data is in Europe. So if you work with a European subsidiary of a US LMS, VLE or other SaaS company, your data may be obtained by US enforcement agencies. According to a recent report by Reuters, a US judge has ruled that:

Internet service providers such as Microsoft Corp or Google Inc cannot refuse to turn over customer information and emails stored in other countries when issued a valid search warrant from U.S. law enforcement agencies

5. Again, all the legal data protection needs to be accompanied with good IT security. See our security comparison document for some questions to ask.

White Paper (complimentary with registration): Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities.

Questionmark can meet both these needs. You can visit our website to learn how Questionmark OnDemand — US-based or EU-based — offers trustable solutions for either of these scenarios.

Securing online assessment content, exam results and personal information

Joan Phaup 2013 (3)Posted by Joan Phaup

How safe are your online assessment content and exam results?
How secure is the personal information you store?
How would a data breach impact your organization’s reputation?

Secure test delivery and painstaking protection of data are crucial for successful online testing and assessment programs.

Find out in this video about the many measures we take to provide a secure assessment platform and keep information safe.

You will find more information in the Questionmark White Paper, Delivering Assessments Safely and Securely