Emilio Jasinto’s Post

In this issue of our data protection digest, we explore 💸 Meta's new 251 million euro fine, the #DORA application deadline and its interference with the #GDPR, how to conduct an #AI impact assessment or integrate it into your existing #privacy risk management, what constitutes #US-restricted data transfer to countries of concern, a ‘real-time bidding’ (#rtb) explainer, and Sky Italia telemarketing’s fine. Some other stories in our digest include: 🛃 The European Data Protection Board published guidelines on GDPR Art.48 about data transfers to third-country authorities and approved another EU Data Protection Seal certification. Starting in 2025, five more US states’ consumer privacy rights laws will take effect - Iowa, Delaware, New Hampshire, Nebraska, and New Jersey. ⚠️ The assessment of customer expectations regarding the processing of their data is an essential element in ensuring lawfulness and transparency of processing by organisations, states the Datu valsts inspekcija/Data State Inspectorate of Latvia. Equally, developing appropriate internal procedures and regular training helps ensure employees know how to act in supporting a company's privacy compliance efforts. The National Institute of Standards and Technology (NIST) continues its series of posts about privacy-preserving federated learning, this time looking at poor-quality or maliciously crafted data to intentionally reduce the quality of the trained model. 🤖 Agencia Española de Protección de Datos - AEPD meanwhile discusses the question of how to choose an AI training model that is most appropriate to the context and purpose of the processing operation. The Italian Data Protection Authority approved the Code of Conduct for companies developing and producing management software for companies, associations, professionals and public administrations. ⛔ A motor insurance worker who unlawfully assessed the company system has been handed a suspended prison sentence following an investigation by the UK Information Commissioner's Office. The EDPS - European Data Protection Supervisor is examining the Commission’s compliance regarding its use of Microsoft 365. And finally, LinkedIn suspended its AI model training in Canada, after pausing it in the EU and UK. ➡️ Don't hesitate to sign up to receive this digest via email by using the sign-up form included in the article! 🔗 Read the full article here: https://lnkd.in/dihsuBgd

Data privacy is no longer just a regulatory checkbox! 🔐 It's a fundamental trust factor for businesses. With frameworks like GDPR and India’s Digital Personal Data Protection (DPDP) Act gaining traction, organizations must rethink how they collect, process and store data, as well as generate analytics along with meaningful insights. At Dview, we’ve worked closely with businesses navigating these challenges. One common issue? Data silos and incompatible architectures. Different data systems have their own architectures, access control policies, and protocols – none of which are inter-compatible, which results in delayed insights and increased risks when handling sensitive information. This is where a unified approach becomes critical. With Dview, we make these fragmented architectures irrelevant. Our platform is source-agnostic, enforcing a unified policy layer across all systems while respecting their individual architectures. This ensures sensitive data remains secure and accessible only on a need-to-know basis, giving organizations complete control and peace of mind. And now, as AI continues to shape decision-making, businesses that prioritize responsible data practices and ethical AI will set themselves apart. Data privacy will no longer just protect; it will become a competitive advantage. At Dview, this is more than a challenge – it’s our mission. By empowering businesses with secure, high-performance tools, we’re helping them navigate the complex world of data privacy with confidence. What’s your take on the evolving data privacy landscape?

𝗗𝗟𝗔 𝗣𝗶𝗽𝗲𝗿 𝗜𝗻𝘁𝗲𝗿𝗻𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗗𝗮𝘁𝗮 𝗣𝗿𝗶𝘃𝗮𝗰𝘆 𝗗𝗶𝗻𝗻𝗲𝗿: 𝗛𝗮𝗺𝗯𝘂𝗿𝗴 𝗣𝗿𝗶𝘃𝗮𝗰𝘆 𝗔𝘂𝘁𝗵𝗼𝗿𝗶𝘁𝘆 #𝗟𝗟𝗠 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀 Last night marked another fantastic DLA Piper International Data Privacy dinner in Brussels, setting the perfect tone for the upcoming #IAPP conference. What a joy to reconnect with colleagues and clients from across the globe, sharing insights and experiences in person! The highlight of the evening was an outstanding presentation by Mr. Thomas Fuchs from the Hamburg Data Protection Authority, who presented a groundbreaking analysis as per the discussion paper published last July (attached below): LLMs do not store personal data within the meaning of Article 4 (1), (2) GDPR. His technical explanation was fascinating, particularly regarding how LLMs process information: 📍 Technical Foundation: - LLMs process language through "tokenization" - breaking text into small fragments - These tokens are converted into numerical values - The fragments are further processed into "embeddings" that capture relationships between tokens - No complete words or personal information is stored, only mathematical representations of language patterns 📍 Practical Implications: 1. Unlawful Training: - If a third party used personal data without legal basis during training, this doesn't affect the legality of using the model - Data protection violations during training are attributable to the developer, not the deploying organization 2. Processing risk assessments and GDPR implications: -The traditional binary view of "personal/non-personal data" may not suffice -The concept of "might be" personal data isn't enough for compliance challenges -Mere possibility of personal data processing cannot be the sole basis for regulatory measures 3. Local LLM Operation: - Storing an LLM locally isn't relevant under data protection law -LLMs should be viewed as just one component within broader AI systems, alongside filters, databases, and RAGs - Organizations must enable data subject rights for input/output - Need to implement safeguards against privacy attacks The most revolutionary aspect is how this analysis shifts our understanding of LLM compliance. Rather than treating the model itself as a potential personal data repository, we should focus on the layers where actual personal data processing occurs. His pragmatic yet forward-thinking approach to balancing innovation with data protection principles was particularly enlightening. For deployers, he emphasized that while GDPR-compliant processes are crucial, the focus should be on the practical implementation of safeguards at the system level rather than the model itself. Fascinating discussions continued well into the evening, demonstrating once again why these gatherings are so valuable for our privacy community. Looking forward to the discussions that will unfold during the main conference! #Privacy #IAPP #DataProtection #AI #LLMs

Consent, within the realm of data protection and privacy regulations, denotes the authorization granted by individuals for the collection, processing, and utilization of their personal data by an organization or entity. It stands as a fundamental tenet of data protection laws such as the Ghana Data Protection Act 2012 Act 843, the General Data Protection Regulation (GDPR) in the European Union, and similar statutes in other jurisdictions. Key facets of consent encompass: Voluntary Agreement: Consent must be given willingly, devoid of coercion, intimidation, or undue influence. Individuals should possess a genuine choice and should not encounter adverse repercussions for withholding consent. Informed Decision: Individuals must be fully informed of how their data will be utilized, encompassing the purposes of data processing, any third parties with whom the data will be shared, and their entitlements concerning their personal data. Clear Affirmative Action: Consent should be furnished through a distinct and affirmative action, such as actively ticking a box, clicking an opt-in button, or signing a consent form. Silence, pre-ticked boxes, or passivity cannot be construed as consent. Revocable: Individuals retain the prerogative to rescind their consent at any juncture. Organizations must furnish easily accessible mechanisms for individuals to retract consent, and data processing activities should desist upon revocation, unless another legal basis for processing exists. Documented: Organizations are mandated to maintain records of consent to substantiate compliance with data protection regulations. These records should encompass details regarding when consent was obtained, what information was conveyed to the individual, and how consent was conferred.

How can organizations effectively manage and protect sensitive information in an era of stringent data privacy regulations? As regulations such as GDPR and CCPA enforce strict data protection standards, organizations increasingly seek reliable solutions to manage and protect sensitive information. Discover how iDox.ai is addressing this critical need with its innovative AI-powered redaction tool in this recent San Francisco Post article. Read the full article here: https://bit.ly/3Zjs0DV #AI #DocumentManagement #Innovation #DataProtection #iDoxAI #TechInnovation #Compliance #RedactionTech #Redaction

Monday 18 March - the latest headlines in European #data developments with the CEDPO - Confederation of European Data Protection Organisations - #dataprotectionweekly (N°10/2024) bringing you the essential fresher on key stories from around Europe here: https://lnkd.in/ebMBFnjZ ❗EDPS - European Data Protection Supervisor: European Commission’s use of Microsoft 365 infringes data protection law for EU institutions. ❗Court of Justice of the European Union: The supervisory authority of a Member State may order the erasure of unlawfully processed data even in the absence of a prior request by the data subject. ❗ European Parliament: MEPs adopt Artificial Intelligence Act. ❗ And much more Member State news.. #privacy #dataprotection #GDPR #RGPD #DSGVO #informationgovernance #artificialintelligence #AI #informationtechnology #informationsecurity #privacylaw #privacypros #privacyculture #dataprotectionlaw #data #dataprotectionofficer #CEDPO #digitalidentity #datasharing #cybersecurity #DigitalEU #CJEU

Day 19 : Data Privacy Privacy regulations (GDPR, CCPA) and their impact on data engineering practices. Data privacy regulations have a significant impact on data engineering practices, especially when it comes to handling personal data. Let’s dive into the key points related to GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act): GDPR (General Data Protection Regulation): ■What is it? GDPR is a comprehensive privacy regulation that applies to organizations handling personal data of EU residents. Key Aspects: ■Scope: GDPR covers data controllers and processors, regardless of their location, if they process EU citizens’ data. ■Consent: Organizations must obtain explicit consent before collecting and processing personal data. ■Rights: Individuals have rights like data access, rectification, erasure, and the right to be forgotten. ■Breach Notification: Organizations must report data breaches within 72 hours. ■Data Minimization: Collect only necessary data. ■Impact Assessments: Conduct privacy impact assessments for high-risk processing. ■Impact on Data Engineering: Data engineers play a crucial role in ensuring compliance by designing secure data pipelines, implementing encryption, and managing access controls. ■They must handle data with care, respecting individual rights and ensuring data accuracy. GDPR encourages transparency, which aligns with good data engineering practices. CCPA (California Consumer Privacy Act): ■What is it? CCPA is a state-level privacy law in California, USA. Key Aspects: ■Consumer Rights: CCPA grants consumers rights over their personal information. ■Opt-Out: Consumers can opt out of data sales. ■Transparency: Organizations must disclose data collection practices. ■Data Security: Implement reasonable security measures. ■Impact on Data Engineering: Data engineers need to understand CCPA requirements and adapt data processing accordingly.They should ensure data security, minimize data collection, and provide clear privacy notices. CCPA emphasizes transparency, which aligns with ethical data engineering practices. Remember, both GDPR and CCPA prioritize data protection and transparency. As a data engineer, staying informed about these regulations is essential for maintaining compliance and building trust with users. 🛡️🔒 Let's connect if we share the same passion ! #DataPrivacy #DataEngineering #LinkedInPost

Data privacy concerns the handling, processing, storage, and usage of personal information in a manner that respects individual rights. Data privacy has become paramount in today's digital age as more personal information is online than ever. Data Privacy is a critical issue in the modern era. It encompasses the responsible handling, processing, storage, and usage of personal information while respecting individual rights. As the amount of personal data being stored online increases, data privacy has become more important than ever before. The importance of data privacy extends beyond legal compliance. It not only builds trust between companies and their customers but also the government and their citizens, ensuring that personal data is used ethically and transparently. The General Data Protection Regulation (GDPR) is a critical regulation that came into effect in May 2018, impacting businesses worldwide. As a comprehensive data protection law, GDPR sets a global privacy and security standard. Data privacy is not just about legal compliance. It’s essential for building trust between companies and their customers, as well as between government and their citizens. Trust is established by ensuring that personal data is used transparently and ethically. The General Data Protection Regulation (GDPR) is a critical data protection law that has had a significant global impact since its implementation in May 2018. It has set a worldwide standard for privacy and data security, demonstrating the importance of this issue. Governments must be proactive and forward-thinking in their approach to data privacy. To achieve this, they must invest in cybersecurity and AI, foster public-private partnerships, and engage with international bodies. Governments can ensure that personal data is handled ethically and transparently by creating effective and harmonized data protection frameworks. This will encourage trust between citizens, governments, and companies, leading to a safer and more secure world. #dataprivacy #cybersecurity #govtech #AI

A couple of recent developments in the data protection world which will be of interest to data controllers, including on supply chain management and visibility: https://lnkd.in/eKFuv5-E The EDPB has issued an opinion on a controller's duties as regards its processors and sub-processors. Key points: * Controllers should have information on the identity of all processors and sub-processors readily available. Processors should proactively provide this information and keep the controller updated. * Controller’s obligation to verify whether the processor or sub-processor present ‘sufficient guarantees’ to implement appropriate measures determined by the controller applies regardless of the risk to the rights and freedoms of data subjects. Extent of verification will vary depending on the nature of the technical and organisational measures. It is up to the processor to propose sub-processors with sufficient guarantees, but the ultimate responsibility on engaging a sub-processor remains with the controller. * Controller does not have a duty to systematically ask for sub-processing contracts to check that data processing obligations have been passed down the chain. However, the controller should assess whether requesting and reviewing sub-processing contracts is necessary for it to be able to demonstrate compliance. * Where transfers of personal data outside of the EEA take place between sub-processors, the processor (as data exporter) is responsible for preparing the relevant documentation. However, the controller should assess this documentation and be able to show it to the competent Data Protection Authority. - The EPBD also publishes guidelines on legitimate interest (open for consultation until 20 November 2024). - The ICO has also been busy, and publishes its new data protection audit framework, complete with audit tracker to help organisations conduct their assessment of compliance, focusing on areas such as overall accountability, records management, cybersecurity, training and awareness, data sharing, requests for data, breach management, age-appropriate design and of course AI...