2. Agenda
• GDPR
• GDPR Penalties
• What is Data Protection?
• Data Controller or Data Processer
• Principles
• GDPR Information Lifecycles
3. GDPR
• General Data Protection Regulation (GDPR), which becomes enforceable across Europe on 25 May 2018. This
is an overhaul, modernization, and replacement of the existing framework, the Data Protection Directive of
1995.
• The GDPR applies to all businesses with customers, or website/mobile app visitors who are from the
European Union (EU). This means that any organization in the world that works with EU residents’ personal
data in any manner has obligations to protect their users’ data and be GDPR compliant.
Famous Quotes
“Think about your user data from the very start, and don’t let it be an afterthought.”
“Companies that have direct customer relationships, it’s all manageable, and on the upside
you not only reduce your compliance risk but benefit from the increased trust your
customers will show in you and the online world in general.”
4. GDPR Penalties
The GDPR (General Data Protection Regulation) sets a maximum fine of €20
million (Euro) or 4% of annual global turnover – whichever is greater – for
infringements
5. What is Data Protection?
• Data Protection refers to legislation that is intended to:
– protect the right to privacy of individuals (all of us)
– ensure that Personal Data is used appropriately by organisations that may have it (Data Controllers).
Personal data is any information that
can be used to identify a natural
person – “Data Subject”
• Name
• Date of Birth
• Address
• Phone Number
• Email address
• Membership Number
• IP Address
• Photographs etc
Some categories of information are
defined as Special Categories of
Personal Data and require more
stringent measures of protection.
These categories include:
• Religion
• Ethnicity
• Sexual orientation
• Trade union membership
• Medical information etc.
Although not listed as “special
categories of personal data”, the
following are also awarded
additional protection:
• Criminal Data
• Children’s Data
6. Data Controller or Data Processor?
The GDPR states that a data controller “determines the purposes and
means of the processing” whereas a data processor acts only and always
“on behalf of the data controller”.
7. Principles
• Purpose limitation
Data can be collected and used only for those purposes that have been transmitted to the data subject and
about which the consent was received. Purpose must be “specified, explicit and legitimate”
• Data minimization
Personal data to be collected should be “adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed”.
• Accuracy
Personal data must be “accurate and where necessary kept up to date”. You must make sure that you do
not retain old and outdated contacts and ensure the erasure of inaccurate personal data without delay
• Storage limitations
Company would have to set the retention period for personal data you collect and justify that this period is
necessary for your specific objectives
• Integrity and confidentiality
The principle of integrity and confidentiality requires you to handle personal data “in a manner [ensuring]
appropriate security”, which include “protection against unlawful processing or accidental loss, destruction
or damage”.
8. Principles
• "Implement anonymization or pseudonymization into the systems.
• Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process
of removing personally identifiable information from data sets, so that the people whom the data describe
remain anonymous.
• Pseudonymization is a data management and de-identification procedure by which personally identifiable
information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms."
• Accountability
Company is responsible for compliance with the principles of the GDPR. It requires a thorough
documentation of all policies that govern the collection and procession of data.
9. GDPR Information Life Cycle
Assess
Capture
StoreUse
Destroy
Data Protection by Design and by Default
Data Protection Impact Assessment (DPIA)
Documentation
Retention Period
Right to erasure
Portability
Third Party copies
Appropriate use
Consent
Manage Consent
Restricted
International Transfers
Safe and Secure
Restricted Access
Data Inventory
Subject Access Requests
Contracts with Data Processors
Data breaches
Data Minimisation
Privacy Notices
Privacy Rights
Obtain Consent