The General Data Protection Regulation (GDPR) is a European Union law that strengthens and unifies data protection for individuals within the EU. It aims to give control to individuals over their personal data and simplify the regulatory environment for international business. Key provisions include strict rules on consent, rights of access and erasure, breach notification, and increased fines. Under GDPR, all companies that collect EU citizens' data must comply with regulations regarding how personal data is collected, processed, stored, and protected. [/SUMMARY]
2. What is GDPR
a Regulation* by which the European Commission
intends to strengthen and unify data protection
for individuals within the European Union.
It also addresses export of personal data outside the
EU.
3. Goals of GDPR
Lawfullness, Fairness and Transparency
Purpose Limitation
Data minimisation
Accuracy
Storage Limitation
Integrity and Confidentiality
4. What it Covers
• It’s important to note that the EU GDPR covers
personal data. It’s what in the US would call
personally identifiable information (PII)
• The objective is to minimise collection of personal
data, delete personal data that’s no longer
necessary, restrict access, and secure data through
its entire lifecycle
5. Personal Data
Any information related to a natural person or ‘Data
Subject’, that can be used to directly or indirectly
identify the person. It can be anything from a name,
a photo, an email address, bank details, posts on
social networking websites, medical information,
or a computer IP address.
6. Special Categories of
Personal Data
● Race and ethnicity
● Political, religious, or philosophical beliefs,
including union membership Health, sex life, and
sexual orientation
● Genetic and biometric data (for the purpose of
uniquely identification)
7. Penalities
If a firm infringes on multiple provisions of the GDPR, it shall
be fined according to the gravest infringement, as opposed to
being separately penalised for each provision
● Lower level: Up to €10 million, or 2% of the worldwide
annual revenue of the prior financial year, whichever is
higher
● Upper level: Up to €20 million, or 4% of the worldwide
annual revenue of the prior financial year, whichever is
higher
8. Controller and Processor
● ‘controller’ means the natural or legal person, public
authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the
processing of personal data
● ‘processor’ means a natural or legal person, public
authority, agency or other body which processes
personal data on behalf of the controller
9. Guidelines for GDPR
● Business (Controllers and Processors) has to document what personal data
they hold, where it came from, who they share it with and what they do with it.
● Business needs to identify where the data is stored and how long its stored
for.
● Business has to identify lawful bases for processing data and document them.
● Business has to review how they ask for and record consent.
● Business needs to have systems to record and manage ongoing consent.
● Business needs to analyze what risks are associated with the data and what’s
the impact of the risk.
● Business needs to identity solutions to avoid and these mitigate risk
● Business needs to be registered with the Information Commissioner's Office.
10. Types of Consent
● Approved Consent
● Contract
● Legal Obligations
● Vital Interests
● Public task
● Legitimate Interests
● Criminal Offense Data
11. How Consent is Communicated
Unambiguous consent - personal data
Freely given: The data must be freely given, i.e. the data subject must have a
genuine choice not to provide data.
Specific: Consent must be specific and the requirements must be easy to
understand.
Informed: The data controller must be made aware of how the data will be used,
and must have free access to information describing data use.
Unambiguous: There should be a clear affirmative action to signify consent.
12. ….Continued
Explicit consent - sensitive personal data
● Once the conversation moves into , explicit consent is required. For
example, when you provide your data to join a competition,sensitive data you
understand you want to win and need to be contacted if you do, and that is
the reason you provide your details.
● Explicit consent is a more pro-active means, directly asking you to consent to
specific use of your data, such as a checkbox next to a description of how
your data will be used.
● With an unambiguous consent, it is understood you need to provide a data for
one reason or another. With explicit consent, you are given exact description
of what your data will be used for.
13. Individual Rights
● Right to be Informed
● Right to Access
● Right to rectification
● Right to Erasure
● Right to Restrict Processing
● Right to Data Portability
● Right to Object
● Right not to subject to automated decision-making
including profiling
14.
15. Right of Access
● GDPR requires the Data Controller to provide the data subject a copy of their
data free of charge.
● GDPR does allow a reasonable charge when the request is unfounded,
excessive, particularly if it is repetitive.
● The data controller may also charge a reasonable fee for further copies of the
same information.
● Data controller may not charge for subsequent request. The fee must be
based on the administrative cost of providing the information.
● The main intent is that a person has full rights to his or her data, without
abusing the data holders.
16. Right of Erasure
● If the data is no longer required for the purpose it was originally provided for it
should be erased.
● The data should be erased if the individual requests the data to be erased.
● The data should also be erased if it is used illegally or in breach of GDPR.
● If the individual objects to processing, and there is no overriding legitimate
reason to process the data - it should be erased.
● The data should exist in data controller's hands only for purposes it was given
for, and as long as it is required for those purposes.
17. Putting GDPR Principles into Action
The main principle of GDPR is: Data protection by design and by default
Practicing data minimization
What data do we actually need?
● When signing up for a website, do we need a person's birth date?
● We may need it to verify the person is above a certain age, but we don't need
to store it for perpetuity
How long do we store the data for?
● If the person is singing up for a competition, why store the information after
the competition has ended? A data controller is obligated to remove no longer
needed data under GDPR.
How many locations/systems does that data need to exist in?
Is that data being used solely for the purpose it was provided for?
18. Pseudonymisation
Pseudonymisation means transforming the data to an extent where the person
can no longer be identified, without additional information.
Effectively, GDPR advocates for separation of person's general data, and the data
that can identify the pearson.
Ways to pseudonymize the data:
● Encryption at rest and in transit.
● Hashing.
● Masking.
● Aggregation (reporting on large data sets, rather than individuals).
● Indirect references.
The above actions are important when the authorities determine the amount of
fine levied against a company in case of a breach.
19. Record Keeping
● Name and contact details of the controller.
● Purpose of processing.
● Categories of data subjects and categories of personal
data.
● Who are the recipients to whom the personal data have
been or will be disclosed.
● Transfers to other countries or international
organization.Time limits for erasure.
● Technical and organizational security measure
20.
21. Data Protection Impact Assessment
● Under the GDPR, DPIAs will be mandatory for any new high risk processing
projects
● The DPIA process will allow you to make informed decisions about the
acceptability of data protection risks, and communicate effectively with the
individuals affected
● Not all risks can be eliminated, but a DPIA can allow you to identify and
mitigate against data protection risks, plan for the implementation of any
solutions to those risks, and assess the viability of a project at an early stage
● Good record keeping during the DPIA process can allow you to demonstrate
● compliance with the GDPR and minimise risk of a new project creating legal
difficulties
22. Communication with Customers
● Review all current data privacy notices alerting
individuals to the collection of their data
● Review and implement cookie policy
● Remember transparency and consent freely
given (no pre-selected checkboxes, or
assumption of consent)
23. In case of Breach
● Notify official authorities in case of breach if it can result in
a risk to the rights and freedoms of individuals in less than
72 hours
● If the breach is of high risk to the rights and freedoms of
individuals, we have to inform those customers
● Failure to report a breach when required to do so could
result in a fine, as well as a fine for the breach itself
24. EU Citizens and Customers
● Based on Geolocation we can “show” cookie
policy and privacy police to EU customers only
● If we can establish EU Citizenship we also need
to “show” and act in compliance with GDPR
● Based on this we can reduce UX impact in our
other core business, the American and Australian
customers
26. Privacy Policy
What we need to state?
• Who we are
• What information is being collected?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
27. Cookie Policy
• They might contain PII so are considered to be GDPR compliant
• Before the user can interact with the website they need to chose one of the
following:
• Click “Accept” , this dismisses the popup, and constitutes consent for the
controller.
• Click “Visit settings to decline”. This dismisses the popup, and opens up a new
window to a technical settings page for data subjects to decline or revoke
previously granted consent.
• Click “x” to dismiss the popup. This lets the user to access the web content, but
does not in itself grant the controller consent. The website must wait for the user
to click accept on a future visit before setting any information that can identify the
subject in the cookie
28. Customer Rights
All systems need to change, our customer needs to be able to:
• Access all the data we have on them
• They need to be able to correct it
• They have the right to be forgotten by deleting their account
• Able to export their all their data - Be able to download all the data we have on
the the customer in a structured, commonly used and machine-readable format
(ie: JSON)
• Easily remove the consent previously given for data processing
• Manage what they want to receive from marketing and where (email, mobile,
etc..)
29. Audit Trial
• We need to implement audit trail to all access to
our customers data
• Who, when, what, where and how needs to be
answered
• In case of breach, with audit trail, we only need to
inform the ones affected and not all our customer
base
30.
31. GDPR Key Points
• Personal data is owned by the customer, at least we need consent
• Privacy and Cookie Policy detailing everything
• Right to export, access the data, modify and delete it
• Allow the user to op-out of marketing in any form
• Easily access all of the above, with option to remove the consent previously
given, transparency is key
• Data breaches and notifications
• Non-compliance leads to fines, lower infringements 2% of annual revenue or €10
Million, higher infringements 4% of annual revenue or €20 Million. Whichever is
higher!
32. Focus Points
• Start by mapping the customer personal data; Security team will help with DPIA
• Prepare Privacy Policy and Cookie Policy
• UX for privacy and cookie policy
• New Privacy Options section
• All teams need to be involved, from business to development
• Data protection by design and by default
• All our compliance and security measures need to be documented