DALLASVICKY - dallas@9amlabs.com

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 402
Finalized & Agreed on 2016
Will be fully Enforced on May 2018
The General Data Protection Regulation (GDPR)
(Regulation (EU) 2016/679) is a regulation by which the
European Parliament, the Council of the European Union and
the European Commission intend to strengthen and unify
data protection for all individuals within the
European Union (EU).

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 403
It’s about you. About us!
The overall goal of the GDPR is to ensure
that individuals have more control over the
use of their personal data, and to have more
oversight on the processing of that data by
companies.
The right of an individual to have their information
deleted by a company, and the requirement of
a company to reply to complaints of safety
violations within 45 days are probably the two
biggest changes in the regulations for individuals.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 404

DALLASVICKY - dallas@9amlabs.com
HOW DID WE GET HERE?

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 406
Personal Data
Belongs
To the
Individual
Give Consent
Safe Harbor
Framework
Safe Harbor is the name of an
agreement between the United
States Department of Commerce
and the European Union that
regulated the way that U.S.
companies could export and
handle the personal data of
European citizens.
New Directive
Passed
Telephone
& Internet
Companies
To Retain Data
(trace location
/ serious crimes)
Reconsider Laws
Safe Harbor Framwork
Determined to be
invalid
NEW GDPR
To Replace 1995
Directive. Replace Safe
Harbor Framework
DEADLINE

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 407
Time is running out…
May 25th 2018

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 408
YOU
CARE!
WHO
CARES
RIGHT?

DALLASVICKY - dallas@9amlabs.com
PENALTIES

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4010

DALLASVICKY - dallas@9amlabs.com
KEY DEFINITIONS

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4012
Natural Person
= is a living individual
Personal Data
= any information relating
to an identified or identifiable
natural person (data subject)

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4013
Personal Data
= any information relating to an identified
or identifiable natural person (data subject)
Name, identification number,
location data, an online identifier or
any factor specific to the physical,
physiological, genetic, mental,
economic, cultural or social
identity of that natural person.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4014
Processing
= any operation or set of operations performed
on Personal data. Collection, storage, recording,
alteration, retrieval, use, erasure or extraction
The term "processing" is very broad. It essentially means anything that is
done to, or with, personal data (including simply collecting, storing or
deleting those data).This definition is significant because it clarifies the fact
that EU data protection law is likely to apply wherever an organisation does
anything that involves or affects personal data.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4015
Controller
“means the natural or legal person, public
authority, agency or other body which, alone
or jointly with others,
determines the purposes and
means of the processing of personal
data”

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4016
Processor
means a natural or legal person, public
authority, agency or other body which
processes personal data
on behalf of the controller
01000100 01000001 01001100 01001100 01000001 01010011
01000000 00111001 01000001 01001101 01001100 01000001
01000010 01010011 00101110 01000011 01001111 01001101
01000100 01000001 01001100 01001100 01000001 01010011
01000000 00111001 01000001 01001101 01001100 01000001
01000010 01010011 00101110 01000011 01001111 01001101

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4017
Consent of the data subject means: "any freely given,
specific, informed and unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal
data relating to him or her"
It signifies agreement
to the processing of personal data.
must be “by a statement or by a clear affirmative action”

DALLASVICKY - dallas@9amlabs.com
PRINCIPLES
ΑΡΧΕΣ

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4019
Lawfulness,
fairness and
transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to
the data subject
Purpose
limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those purposes
Data
minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed
Accuracy Personal data shall be accurate and, where necessary, kept up to date
Storage
limitation
Personal data shall be kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the personal data are processed
Integrity and
confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures
Accountability The controller shall be responsible for, and be able to demonstrate compliance with the
GDPR

DALLASVICKY - dallas@9amlabs.com
YOU HAVE THE RIGHT….
not to remain silent. :)

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4021
Right to be informed.
The right to be informed encompasses your
obligation to provide ‘fair processing
information’, typically through a
privacy notice. It emphasises the need for
transparency over how you use personal
data.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4022
Right of Access.
Individuals have the right to access their
personal data and supplementary information.
The right of access allows individuals to be
aware of and verify the lawfulness of the
processing.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4023
Right to rectification.
The GDPR gives individuals the right to have
personal data rectified. Personal data can be
rectified if it is inaccurate or incomplete

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4024
Right to Erasure.
The right to erasure is also known as ‘the
right to be forgotten’. The broad
principle underpinning this right is to enable
an individual to request the deletion or
removal of personal data where there is no
compelling reason for its continued
processing.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4025
Right to Restrict Processing.
Individuals have a right to ‘block’ or suppress
processing of personal data.When processing is
restricted, you are permitted to store the personal
data, but not further process it.You can retain just
enough information about the individual to ensure
that the restriction is respected in future.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4026
Right to Data Portability.
The right to data portability allows individuals
to obtain and reuse their personal data for
their own purposes across different services.
It allows them to move, copy or transfer
personal data easily from one IT environment
to another in a safe and secure way, without
hindrance to usability.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4027
Right to Object.
Individuals have the right to object to: processing
based on legitimate interests or the performance
of a task in the public interest/exercise of official
authority (including profiling); direct marketing
(including profiling); and processing for purposes
of scientific/historical research and statistics.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4028
Rights related to automated
decision making including profiling.
The GDPR provides safeguards for individuals against
the risk that a potentially damaging decision is taken
without human intervention. Identify whether any of
your processing operations constitute automated
decision making and consider whether you need to
update your procedures to deal with the
requirements of the GDPR.

DALLASVICKY - dallas@9amlabs.com
DATA PROTECTION OFFICER
DPO
Article 37

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4030
DPO
A data protection officer (DPO) is an enterprise
security leadership role required by the General
Data Protection Regulation (GDPR). Data
protection officers are responsible for overseeing
data protection strategy and implementation to
ensure compliance with GDPR requirements.
Companies have the option of hiring a
full time DPO, or contracting one out.

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4031
Educating…
…the company and employees on important
compliance requirements

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4032
Training…
…staff involved in data processing

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4033
Conducting audits…
…to ensure compliance and address
potential issues proactively

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4034
Serving…
…as the point of contact between the
company and GDPR Supervisory Authorities
Monitoring performance and providing advice
on the impact of data protection efforts

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4035
Maintaining…
…comprehensive records of all data
processing activities conducted by the
company, including the purpose of all
processing activities, which must be made
public on request

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4036
Interfacing…
…with data subjects to inform them about
how their data is being used, their rights to
have their personal data erased, and what
measures the company has put in place to
protect their personal information

DALLASVICKY - dallas@9amlabs.com
WHAT NOW?

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4038
How to Prepare…

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4039

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 4040
WELCOME TO THE FUTURE:

DALLASVICKY - dallas@9amlabs.com www.generaldataprotection.gr
/ 40
SAVE THE DATE
MAY 28, 2018
THANK YOU.
DALLAS
READ: http://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf
41