The document provides an introduction to the General Data Protection Regulation (GDPR). It defines personal data and data privacy, explaining that the GDPR aims to strengthen data protection for individuals in the EU. It outlines key areas the GDPR covers such as consent, transparency, profiling, data transfers, and rights of individuals. It discusses penalties for non-compliance, which include fines of up to 20 million Euros or 4% of annual global turnover. The document provides an overview of the GDPR's requirements and changes organizations need to make to be compliant, such as conducting data audits and impact assessments, and establishing governance frameworks with accountability.
2. Agenda
• What is Personal data & Data Privacy
• What is GDPR
• Summary
• Penalties
• Who it affects
• What you have to do
• Where to find more information
3. What is personal data?
• Any information relating to an person who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that person.”
• Any information that can be used to identify a living person - directly
and indirectly – or that relates to them.
• What does that mean?
• This could be: name, an identification number, or location data,
like an IP address.
• It could also include other information that leads to an individual
being identified (which could be: physical, genetic or cultural).
• More care needs to be taken with sensitive personal data eg. health
data, religious beliefs
4.
5. Personal
Data: Cultural
Differences
• Personal self determination
• Personal Data Protection
• Laws, not directives
Europe
• Consumer focused
• Treated fairly
• Not Protected
• Directives, not laws
USA & Rest of the world
6. Why data
privacy
matters to us
Businesses and Organizations have to care - we are
responsible for handling people’s most personal
information
This is an opportunity to make privacy central to what
business we do
By not handling personal data properly businesses
could put individuals at risk and their reputation at
stake
Getting it wrong could result in significant fines
Enterprise need robust systems and processes in place
to make sure the personal information is handled
properly and comply with data privacy standards
7. General Data Protection Regulation
• What?
• The General Data Protection Regulation (GDPR) is a European law that will replace the current Data Protection laws in many EU countries.
• Régulation : (EU) 2016/679, replaces Directive 95/46/EC. Immediately applicable in each Member State Require no local implementing
legislation. EU GDPR is a Regulation
• Directives : (EU) 2016/680 (43pages)& (EU) 2016/681 (18 pages). Require individual implementation in each Member State .Implemented by
the creation of national laws approved by the parliaments of each Member State
• Why?
• Single set of legislation across Europe that gives individuals get better control of their personal data
• The aim is to strengthen and unify personal data protection for all individuals living in the European Union.
• Builds on existing data protection law
• When?
• It will come in to force on 25 May 2018
• Became effective law in 2016
• 2 year grace period to get ready
• The GDPR is causing great concern for businesses, with 50 percent of global companies saying they will struggle to meet the rules set out by Europe
unless they make significant changes to how they operate.
8. GDPR – General
Changes
• Explicitly shifts emphasis onto data controllers demonstrating
compliance (Art. 5(2))
• Consent strengthened in practice
• Greatly expanded requirements in relation to fair processing
• Specific requirements on data processors
• Data subjects' rights - Chapter III (Articles 12 – 23)
• If you collect any personal data of an EU citizen, you need to
comply
• Data subjects can ask for data
• There are Penalties for non-compliance
• European Data Protection Board (EDPB) is established
• To ensure cooperation, communication, consistency and
mutual assistance between national supervisory
authorities
• To monitor and ensure correct application of the
Regulation
• Examine any question dealing with its application
9. GDPR – Key
Areas to
Active
Discussion
Consent
Transparency
Profiling
High risk processing
Certification
Administrative fines
Breach notification
Data transfers
10. GDPR Key
Features
• Adds new rights
• Data Portability (Art. 20)
• Right to restrict processing (Art. 18)
• Right to erasure ("right to be forgotten")
• Strengthens existing rights
• Right not to be subject to automated decision making (Art. 22)
• Right to be informed (Art. 12, 13 and 14)
• Right of subject access (Art. 15)
• Data protection safeguards to be ‘built in’ to systems. Data by Design
• Privacy-friendly – pseudonymisation
• Record keeping has increased emphasis
• Answering auditors
• Data Subject Access Requests
• The right to be forgotten
11.
12. GDPR Legal Glossary
• Personal Data
• Controllers & Processors
• Data Protection Officers
• Profiling
• Breach & Notification
• Data Subject Access
Requests
13. Controllers & Processors
• Controllers
• Owners of the data
• Responsible for data security
• – Make sure Processors are compliant
• Processors
• Work with the data
• Must take responsible actions with the data
• The relationship between Controllers and Processor must be
documented
• The Regulation applies to controllers and processors in the EU
irrespective of where processing takes place.
• It applies to controllers not in the EU
• Article 5: Principles relating to processing of personal data
• “The controller shall be responsible for, and be able to
demonstrate compliance with, paragraph 1 ('accountability'). “
14. GDPR – DPO & Profiling
• Data Protection Officers
• Public Authorities, Large scale processing of special types of personal data
• Expert knowledge of DP laws
• Can be made tighter by EU Member States
• Profiling
• Any automated processing of personal data to determine certain criteria about a person.
• “In particular to analyze or predict aspects concerning that natural person’s performance at
work, economic situation, health, personal preferences, interests, reliability, behaviour,
location or movements”.
• Natural person= a living individual Natural persons have rights associated with:
• –The protection of personal data
• –The protection of the processing personal data
• –The unrestricted movement of personal data within the EU
• In material scope:
• –Personal data that is processed wholly or partly by automated means;
• –Personal data that is part of a filing system, or intended to be.
15. GDPR – Data Privacy Rights
• Natural Persons have rights for judicial remedy where their rights have been infringed as a result
of the processing of personal data.
• In the courts of the Member State where the controller or processor has an establishment.
• In the courts of the Member State where the data subject habitually resides.
• Any person who has suffered material, or non-material, damage shall have the right to receive
compensation from the controller or processor.
• Controller involved in processing shall be liable for damage caused by processing.
• Data Subject Access Request – The right of the individual to understand what is stored and how it
is used
16. GDPR Privacy By Design
• Privacy must now be designed into data processing by default
• Data controllers/processors not established in the EU must
designate a representative
• Data Privacy Impact Assessments mandatory (article 35)
• For technologies and processes that are likely to result in a
high risk to rights of data subjects
• Data audits
• GDPR applies to existing data, as well as future data
• Privacy may have to be designed in retrospectively
• Organizations need to identify what PII they hold, where, on
what grounds, and how it is secured in a way that will meet
requirements of GDPR
17. GDPR Breach & Notification - Article 33
• Breach & Notification – “a breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
• Obligation for data processor to notify data controller
• Notification without undue delay after becoming aware
• No exemptions
• All data breaches have to be reported
• Obligation for data controller to notify the supervisory authority
• Notification without undue delay and not later than 72 hours
• Unnecessary in certain circumstances
• Description of the nature of the breach
• No requirement to notify if unlikely to result in a high risk to the rights and freedoms of natural persons
• Failure to report within 72 hours must be explained
18. GDPR Enforcement & Accountability
• Mandatory security breach reporting
• Significantly larger fines for non-compliance
• Two tier fine system
• Affects ANYONE who collects data about any EU citizen that is identifiable to them
• Enforceable on Anywhere in the world with No boundaries
• The new legislation creates an onus on companies to understand the risks that they create for others, and to
mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a
framework that can be used to build a culture of privacy that pervades an entire organization.
• The GDPR mandates organizations to put into place comprehensive but proportionate governance measures.
• It means a change to the culture of an organization. That isn’t an easy thing to do, and it’s certainly true that
accountability cannot be bolted on: it needs to be a part of the company’s overall systems approach to how it
manages and processes personal data.
19. GDPR – Focus on Consent
• Consent to collect the data has to be given
• Purpose for data collection has to be explicit
• Has to be demonstrable, how and when
• Consent must be clear and affirmative
• Must be able to demonstrate that consent was given
• Silence or inactivity does not constitute consent
• Written consent must be clear, intelligible, easily accessible, else not binding;
• Consent can be withdrawn any time, and as easy to withdraw consent as give it;
• Withdrawing consent has to be possible
• Should be as easy as giving consent
• Special conditions apply for child (under 16) to give consent
• Explicit consent must be given for processing sensitive personal data
• Race, ethnic origin, gender, etc
• Specific circumstances allow non-consensual processing egto protect vital interests of the data subject
• Secure against accidental loss, destruction or damage (article 5)
20. GDPR Penalties
Two tier fine system depending on nature of the breach
• Failing to take steps to keep personal data secure.
• Failing to notify the supervisory authority of a data breach
• Violation of record keeping, security, breach notifications & privacy impact assessment
Tier 1 - up to 10 million Euros or 2% of annual global turnover
• Failing to comply with individuals rights
• Infringements related to transfers
• Violations of legal justification for processing (consent), data subject rights and cross-border data
transfers
Tier 2 - up to 20 million Euros or 4% of annual global turnover
21. GDPR Data
Categorization
• Special categories of personal data (Article 9)
• Racial or ethnic origin
• Political opinions
• Trade union membership
• Religious or philosophical beliefs
• Genetic data
• Biometric data (in some cases)
• Health data
• Sex life or sexual orientation
22. GDPR – Article 5 & 6: Lawfulness
• Secure against accidental loss, destruction or damage
• Processing must be lawful –which means, inter alia:
• Data subject must give consent for specific
purposes
• Other specific circumstances where consent is not
required
• So that controller can comply with legal obligations
etc
• One month to respond to Subject Access Requests –& no
charges
• Controllers and processors clearly distinguished
• Clearly identified obligations
• Controllers responsible for ensuring processors
comply with contractual terms for processing
information
• Processors must operate under a legally binding
contract
• And note issues around extra-territoriality
23. GDPR: Transparency
• Any communications with a data subject must be concise, transparent, intelligible
• Controller must be transparent in providing information about itself and the purposes of the
processing
• Controller must provide data subject with information about their rights
• Specific provisions (Article 14) covering data not obtained directly from the data subject
• Rights to access, rectification, erasure (‘right to be forgotten’), to restriction of processing, and
data portability
24.
25. Control Over transfers of Data
• International transferts (Chapter V, Articles 44 – 50)
• Restrictions on transfers outside EU
• Can only take place in compliance with Chapter V
• Regulators can authorize some transfers
• Data portability
• Lead supervisory authorities
• Data protection officers
• Data protection law shouldn't prevent effective sharing of data for anti-money laundering
purposes
26.
27. Key Corporate
Changes for GDPR
• Governance: Board accountability
• Corporate risk register
• Nominated responsible director
• Clear roles and responsibilities
• Data Protection Officer
• Privacy Compliance Framework
• PIMS/ISMS
• Cyber incident response
• Cyber Essentials a minimum security standard
• Certification and data seals (Article 42) –ISO 27001
• Data Protection by Design and by Default
• Data Flow Audits
• Data Protection Impact Assessments (DPIA)
• Mandatory for many organizations
• Legal requirements around how performed and data
collected
28.
29. Suggested minimum technical
steps
• Establish governance framework –board awareness, risk register, accountability
framework, review
• Appoint and train a DPO/SDPO
• Data inventory –identify processors, unlawfully held data
• Data flow audit
• Compliance gap analysis. Ensure FPN and SAR documents and processes are
robust and legal
• PIA and security gap analysis
• Remediate
• Privacy compliance framework
• Cyber Essentials/Ten Steps to Cyber Security/ISO 27001
• Data breach response process (NB: Test!)
• Monitor, audit and continually improve
30. What can you
do now?
• Make key departments aware
• Work out what you have
• Get you minimum technical steps in progress
• Revise existing privacy notices
• Review procedures for new rights
• Plan how to handle requests
• Document your legal basis for your use of data
• Review how you get consent and record it
• Procedures for data breaches and checks
• Appoint a Data Protection Officer