GDPR

GDPR
EXPLORING THE IMPACT ON ORGANISATIONS & FINANCIAL INSTITUTIONS GENERAL DATA PROTECTION REGULATION (GDPR)
 The GDPR protects natural persons with regard to the processing of personal data & gives citizens more control over their personal data.  GDPR applies to all companies processing & holding personal data of data subjects residing in the EU, regardless of the company’s location.  Organizations must keep record of and monitor personal data processing activities.  As data controller, organizations must keep record of & monitor personal data processing activities. This includes personal data handled within the organization, but also by third parties - so called data processors.  Data processors can be anything from Software-as-a-Service providers to embedded third party services, tracking and profiling visitors on the organization’s website.  Organizations with more than 250 employees and or companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO).  The fines for violating the GDPR norms can be significant and the maximum penalty is 4% of annual turnover or €20 million which ever is higher.  In relation to Brexit, the UK Government plans to implement equivalent legislation that will largely follow the GDPR. GENERAL DATA PROTECTION REGULATION (GDPR) NATURAL PERSONS DATA CONTROLLERS GDPR DATA PROCESSORS
GDPR PENALITY TERRITORIAL SCOPE RETRACEABILITY DATA SUBJECT RIGHTS DATA BREACH PRIVACY AGREEMENT DATA INVENTORY DATA PROTECTION OFFICER GDPR DESCRIPTOR’S  NATURAL PERSON  PROTECTION OF PRIVACY  CROSS-FRONTIER DATA FLOW  DATA-PROCESSING LAW  ACCESS TO INFORMATION  DATA PROTECTION  DISCLOSURE OF INFORMATION  PERSONAL DATA  FREEDOM, SECURITY & JUSTICE GENERAL DATA PROTECTION REGULATION (GDPR)
System Analysis GAP Identification System Transformation Data Inventory Management Privacy Design Third Party Requirements GDPR Compliant GDPR ACTION PLAN • Study Business Insight • Organisation and Accountability • Develop Strategy & Roadmap • Data Breach Handling Procedure • Data Subject Rights procedure • Data Protection Officer • Data Processing Agreements • Privacy Risk Assessment • Risk mitigation • Risk Acceptance • Employee training and awareness • Third Party Agreements GENERAL DATA PROTECTION REGULATION (GDPR)
RIGHT OF DATA SUBJECT  Breach Notification – GDPR compliant organizations must notify end users of any data breaches within 72 hours of first coming aware of the situation.  Right to Access – Compliant companies must provide the personal information stored about each end user and information regarding how the data is being used and where it is stored on request by the data subject.  Right to be Forgotten: This requirement entitles a data subject to have his/her personal data erased and have it no longer disseminated to third parties or exposed to third party processing.  Data Portability – This rule requires GDPR compliant companies to provide end user data in a commonly used and machine readable format” on-demand allowing users to take their data to another data user.  Privacy by Design – Privacy by Design requires the inclusion of data protection at the onset of system design versus being added later.  Data Protection Officers – DPOs are mandatory for those companies whose core activities include systematic monitoring of customer data on a large scale or hosting data relating to criminal convictions and offenses. GENERAL DATA PROTECTION REGULATION (GDPR) BREACH NOTIFICATION RIGHT TO ACCESS RIGHT TO BE FORGOTTEN DATA PROTABILITY PRIVACY BY DESIGN DATA PROTECTION OFFICER
RIGHT OF DATA SUBJECT  The controller shall take appropriate measures to provide any information to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. (Article 12).  The controller to provide the data subject with the purpose for which the data are collected & time period for which the data shall be stored. (Article 13).  Data subjects will have the right to obtain a copy of the personal data you hold about them & to an in-depth description of how it is being processed (Article 15).  They have the right to have inaccurate personal data corrected (Article 16).  They have the right to have inaccurate personal data or their data deleted (Article 17).  The data subject shall have the right restrict the controller from processing their personal data, except for exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State ( Article 18). GENERAL DATA PROTECTION REGULATION (GDPR) CHAPTER III - Rights of the data subject - Article 12 to 22 & 34 CHAPTER VIII - Remedies, liability and penalties - Article 77, 78, 79 & 82
RULES FOR BUSINESSES  Single set of EU-wide rules  Data protection officer  EU rules for non-EU companies  Data protection by design and by default  Data protection safeguards  Pseudonymisation & Encryption  Data protection impact assessment  Conditions for Data Subject consent  Data Breach Notification to Data Subject  Data breach Notification to the supervisory authority  Acting as Representatives of controllers  Record-keeping of processing activities  Exemptions - Processing of data  Penalty for non-compliance GENERAL DATA PROTECTION REGULATION (GDPR) RIGHTS OF DATA SUBJECT DATA INVENTORY EU & NON EU ORGANISATIONS SUPERVISORY AUTHORITY GDPR
GENERAL DATA PROTECTION REGULATION AND FINANCIAL SECTOR  The financial sector is one of the more highly regulated sector worldwide, but many Banks & Credit Institutions have nonetheless been caught off guard by the complexity of the new EU General Data Protection Regulation (GDPR).  Organizations risk regulator fines, litigation costs & contract opportunities. The biggest risk is likely to be in the events of outsourcing of work to third parties, Organizations within EU as well as Organizations who deal with EU citizens personal data have to check their third party contracts are GDPR compliant.  They should also demonstrate to the regulator that: I. They know where your data resides, II. Have breach handling process is in place, III. They respond to the rights of the individual  This Regulation, takes effect on 25 May 2018, revamps the way organizations knob personal data. It includes countless requirements, which Banks & Financial Institutions should take as soon as possible, comply with the requirements of GDPR. GENERAL DATA PROTECTION REGULATION (GDPR) GDPR PERSONAL DATA DATA PROTECTION COMPLIANCE FINANCIAL INSTITUTIONS
ROLE OF DATA PROTECTION OFFICER (DPO)  A data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.  Be the point of contact for data subjects and for cooperating and consulting with national supervisory authorities, such as the Information Commissioner’s Office.  Be consulted and provide advice during Data Protection Impact Assessments  Ensure all future developments and system implementations incorporated fulfill the principles of data.  Assist in creating a platform and environment capable of continuously demonstrating control of personal data  Have contingency plan (including containment, rectification and communications), to safe guard data and process to inform data subjects, if something go wrong.  A data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.  A data protection officer shall directly report to the highest management level. GENERAL DATA PROTECTION REGULATION (GDPR) DATA INVENTORY DATA PROTECTION OFFICER
THANK YOU

Check these out next

GDPR

Recomendados

Más contenido relacionado

Presentaciones para ti(20)

Similar a GDPR(20)

Último(20)

GDPR