In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
2. GDPR at Acquia
“Acquia is well positioned to meet the GDPR requirements by the May
2018 deadline. We are building on work we have done to obtain and
maintain our EU-U.S. Privacy Shield framework certification, as well as
our work with customers around the EU model clauses that Acquia
has also implemented.
We’re focused not only on meeting our own obligations, but also on
providing the tools that our customers will need to help them meet
their obligations under GDPR as well.”
3. Who am I
Tassos Koutlas, PhD
UK Technical Director, FFW
Have been working in technology for 15 years
- Drupal and the web
- Machine learning and machine vision
- Devops
4. Contents
● Context
● Definitions
● Principles
● Rights
● Penalties
● How to prepare
European law has two types of legislation:
1. Directives - Member states implement
2. Regulations - Immediately applicable
EU GDPR is a regulation.
1981 - EU Treaty 108 - 8 principles for protecting
personal data
1995 - EU Data Protection Directive (95/46/EC)
1998 - Human Rights Act (HRA 1998) - Art. 8 right
to privacy
2016 - EU GDPR approved, law in 2 years
Context
6. Subject matter
Rules relating to the protection of natural persons
with regards to the processing of personal data.
Processing means any operation or
set of operations which is performed
on personal data.
Collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission,
dissemination or otherwise making available,
alignment or combination, restriction, erasure
or destruction.
Natural person is a living individual.
Personal data is any information relating to an
identified or identifiable natural person ('data
subject').
Name, identification number, location data, an
online identifier or any factor specific to the
physical, physiological, genetic, mental,
economic, cultural or social identity of that
natural person.
7. Controller
Determines the purposes and means of the
processing of personal data.
It can be a natural or legal person, public
authority, agency or other body which.
It can act alone or jointly with others.
FFW and Acquia are controllers on the data they
are collecting regarding their marketing
activities.
Processes personal data on behalf of the
controller.
It can be a natural or legal person, public
authority, agency or other body.
FFW and Acquia are processors for other parties
as part of their services.
Processor
8. Consent
It signifies agreement to the processing
of personal data.
It must be freely given and must give a
specific, informed and unambiguous
indication of the data subject's wishes.
It must be by a statement or by a clear
affirmative action.
10. Privacy by design
GDPR enforces the concept of data
protection by design and by default.
Businesses and organisations need to adhere
to a few principles with regards to the
personal data they are processing.
It is stated explicitly within the law that
organisations are responsible and should be
able to demonstrate compliance with those
principles.
11. Six principles
Six principles are mentioned with regards to personal data.
1. Should be processed lawfully,
fairly and in a transparent way.
2. Should be collected for
specified, explicit and legitimate
purpose.
3. Should be kept up to date.
4. Should be limited to what is
necessary.
5. Should not allow identification of
people for longer than necessary.
6. Should be processed in a way that
ensures appropriate security.
12. An example
Requiring consent to exhibit the lawfulness of
processing personal data (principle 1).
- Consent was freely given, specific, informed
and unambiguous.
- It was a positive opt-in
- The person was informed that she can
withdraw consent at any time.
Compliance:
- Clear privacy notice and terms and
conditions, opt-in rather than opt-out
- Ability for people to withdraw consent
Asking for feedback through a form via the
website capturing the email of a person.
Under GDPR an email is personal data.
Principle 6: Should be processed in a way that
ensures appropriate security.
Compliance:
- SSL and HTTPS traffic only through the
website
- Firewall policy for the database server
- Access controls for people accessing the
network
Another example
14. Rights
The following are mentioned with regards to
personal data.
Appropriate measures (processes, procedures
and training) to allow people to exercise those
rights.
All forms of communication would need to be
in a concise and easily accessible form using
clear and plain language.
Legal based documents would need to be
revised so they are more accessible by the
general public.
the right to be informed;
the right of access;
the right to rectification;
the right to erasure (right to be forgotten);
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated
decision-making including profiling
15. An example
In May 2015 the EU Court of Justice ruled:
search engines are responsible to the content
they point to and thus they need to comply with
EU privacy law.
Google was asked to comply with the right to be
forgotten.
- Created the framework to remove search
results from EU index
- Created the process for people to request
removal
Establish processes, procedure and staff training
to deal with people exercising their rights.
17. Low
Fine up to 10,000,000 EUR or 2% of total
worldwide turnover, whichever is higher.
- Child consent
- Processing not requiring identification
- Data protection by design and by default
- Joint controllers
- Representative of controllers not
established in EU
- Processing
- Cooperation with supervisory authority
- Data security
- Notifications of breaches to supervisory
authority
- Communication of breaches to data
subjects
Fine up to 20,000,000 EUR or 4% of total
worldwide turnover, whichever is higher.
- Principles relating to the processing of
personal data
- Lawfulness of processing
- Conditions of consent
- Processing of special categories of data
personal data (i.e. sensitive data)
- Data subjects rights
- Transfers to third countries
- Access to supervisory authority
- Order/limitations on processing or the
suspension of data flows
High
19. Steps to prepare
Awareness
Make sure that decision makers and
key people in your organisation are
aware that the law is changing to the
GDPR. They need to appreciate the
impact this is likely to have.
Privacy information
Review your current privacy
notices and put a plan in place to
make any necessary changes.
Information audit
Document what personal data you
hold, where it came from and who
you share it with.
Individual’s rights
Check procedures to ensure
they cover all the rights
individuals have (e.g. how to
delete personal data, or provide
data electronically in a common
used format)
20. Steps to prepare
Data breaches
Procedures to detect, report and
investigate a personal data breach
Data protection by design
and data protection impact
assessments
Familiarise with latest guidance
from Article 29 Working Group and
how to implement Privacy Impact
Assessments for your organisation
(or talk to us at FFW about it).
Access requests
Update procedures and plan how to
handle requests within the
timescales.
Lawful basis of processing
Identify your lawful basis of
processing, document it and update
privacy notice to explain it.
Children
Do you need to put systems in place
to verify individual’s ages and obtain
parental or guardian consent?
21. Steps to prepare
Data protection officers
Designate someone (within your
organisation or some legal entity) to
take responsibility for data
protection compliance. Asses where
the role will sit within the
organisational structure.
International
If your organisation operate in more
than one Member State determine
your lead data protection
supervisory authority
Organisations not
established in EU
Designate in writing a
representative in EU.
22. Case study - Hotjar
Thoroughly research the areas of our product and
our business impacted by GDPR - COMPLETE
Appoint a Data Protection Officer - COMPLETE
Rewrite our Data Protection Agreement -
COMPLETE
Develop a strategy and requirements for how to
address the areas of our product impacted by
GDPR - COMPLETE
Perform the necessary changes/improvements to
our product based on the requirements - IN
PROGRESS
23. Case study - Hotjar
Implement the required changes to our
internal processes and procedures required to
achieve and maintain compliance with GDPR
- IN PROGRESS
Thoroughly test all of our changes to verify
and validate compliance with GDPR - IN
PROGRESS (being done incrementally as
changes are completed)
Finalize and communicate our full
compliance - TO BE ANNOUNCED
24. Final Thoughts
To prepare for GDPR, you must understand which data you create, where
and how you process and finally store it.
Only then, you will be able to take the right actions to comply with the new
regulations. Acquia and FFW are ready to support you on this journey.
Under this scheme people would always have to opt-in with a request for consent form that presents information in a clear and distinguishable way. For example when a user registers for a service via their email, phone number, or social media profile they would need to explicitly check a check box. Long are the days of opting-out and clever wording on forms to get consent. People have a right to be informed and to be informed in clear language.
Each request would need to be handled within a month from submission and free of charge, otherwise there are penalties imposed.
Access Requests
The data subject will have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.
Purpose of the processing
Categories of personal data concerned
To whom personal data has been disclosed
Period that personal data will be stored
Existence of the right to rectify or erase personal data