LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestras Condiciones de uso y nuestra Política de privacidad para más información.
LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestra Política de privacidad y nuestras Condiciones de uso para más información.
The General Data Protection Regulation:
An Overview of Challenges and Opportunities
Dr. Dimitrios Patsos,
Chief Technology Officer,
How we got here
• Increase on
• Cyber Security
• Safe Harbour
• EU Reverses
• Weakly Enforced
The GDPR at a Glance
• Data of EU Citizens residing worldwide,
• Replaces Directive 95/46/EC,
• In full force: Friday, May 25th, 2018,
• Fines Up to 4% of worldwide turnover, or 20M € (whichever is bigger),
• 173 recitals setting the context of the regulation and how it will be
interpreted by the Data Protection Authorities,
• 99 articles describing in detail the content of the regulation,
• 98 of 99 articles are not directly related to technology,
• 1 article (32) talking about technology.
means of the
personal data on
behalf of the
personal data is
Degrees of Change
0 1 2 3 4 5 6 7 8 9 10
Material and Territorial scope
Data Protection Principles
Lawfulness of processing and further processing
Sensitive Data and lawful processing
subject access, rectification and portability
rights to object
Right to erasure and right to restriction of processing
Profiling and automated decision-taking
Personal data breaches and notification
Codes of conduct and certifications
Transfers of personal data
Appointment of supervisory authorities
Competence, tasks and powers
Co-operation and consistency between supervisory authorities
European Data Protection Board
Remedies and liabilities
Delegated acts, implementing acts and final provisions
OK, but…What Data ?
• Personal Data: anything related to an identified or identifiable natural person ("data subject"); as
a name, an identification number, location data, online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
person (Art. 4 (1)),
• Sensitive Personal Data: anything revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership; data concerning health or sex life and sexual
orientation; genetic data or biometric data. (Rec.10, 34, 35, 51; Art.9(1)),
• Data relating to criminal offences: Data relating to criminal offences and convictions may only be
processed by national authorities. National law may provide derogations, subject to suitable
safeguards (Rec. 19, 50, 73, 80, 91, 97; Art.10),
• Anonymous data: The GDPR does not apply to data have been anonymized in a way that an
individual cannot be identified from the original data (Rec.26),
• Pseudonymous data: pseudonymous data are still treated as personal data because they enable
the identification of individuals (via a pseudonymization process). However, the risks are likely to
be lower (Rec.26, 28-29, 75, 78, 156; Art.4(5), 6(4)(e), 25(1), 32(1)(a), 40(2)(d), 89(1)).
• Identify a legal basis before you can process personal data
• Processing is necessary for compliance with a legal obligation,
• processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller (Article
• Lawfulness of processing conditions
• Consent of the data subject (Article 6(1)(a)),
• Performance of a contract with the data subject or to take steps to enter into a
contract (Article 6(1)(b)),
• Compliance with a legal obligation (Article 6(1)(c)),
• Protect the vital interests of a data subject or another person (Article 6(1)(d) ),
• Legitimate interests pursued by the controller or a third party, except where such
interests are overridden by the interests, rights or freedoms of the data subject
(Article 6(1)(f )).
• Freely given, specific, informed and an unambiguous indication of the
• Clear affirmative action,
• Silence, pre-ticked boxes or inactivity does not apply (Articles 6-10,
Recitals 38, 40-50, 59),
• Must be verifiable,
• Individuals have a right to withdraw consent at any time.
Data Subject Rights
• The right to be informed,
• The right of access,
• The right to rectification,
• The right to erasure (be forgotten),
• The right to restrict processing,
• The right to data portability,
• The right to object,
• Rights in relation to automated decision making and profiling.
Privacy by Design
• Demonstration of compliance
• Implement appropriate technical and organizational measures that ensure and demonstrate that you comply.
This may include internal data protection policies such as staff training, internal audits of processing activities,
and reviews of internal HR policies,
• Maintain relevant documentation on processing activities,
• Where appropriate, appoint a data protection officer,
• Implement measures that meet the principles of data protection by design and data protection by default.
• Measures could include:
• Allowing individuals to monitor processing,
• Creating and improving security features on an ongoing basis.
• Use data protection impact assessments where appropriate,
• Adhere to approved codes of conduct and/or certification schemes.
• Article 5(2)
• Internal records of processing activities, such as:
• Name and details of your organization (and where applicable, of other
controllers, your representative and data protection officer),
• Purposes of the processing,
• Description of the categories of individuals and categories of personal data,
• Categories of recipients of personal data,
• Details of transfers to third countries including documentation of the transfer
mechanism safeguards in place,
• Retention schedules,
• Description of technical and organizational security measures.
• Article 25, Recital 78
Privacy Impact Assessment
• Using new technologies; and processing is likely to result in a high risk, such as:
• systematic and extensive processing activities, including profiling and where decisions that have legal effects –
or similarly significant effects – on individuals,
• large scale processing of special categories of data or personal data relation to criminal convictions or
• considerable amount of personal data at regional, national or supranational level; that affects a large number
of individuals; and involves a high risk to rights and freedoms.
• A description of the processing operations and the purposes, including, where applicable, the legitimate
interests pursued by the controller,
• An assessment of the necessity and proportionality of the processing in relation to the purpose.
• An assessment of the risks to individuals,
• The measures in place to address risk, including security and to demonstrate that you comply,
• A PIA can address more than one project.
• Articles 35, 36, 83 and Recitals 84, 89-96
How are my data
Where are my
How are my data
Privacy Impact Assessment - How
What are my
guidelinespolicies procedures awareness
integrity quality compliance
Data Protection Officer
• Inform and advise the organization and its employees about their obligations to comply with
the GDPR and other data protection laws,
• Monitor compliance with the GDPR and other data protection laws, advise on data protection
impact assessments; train staff and conduct internal audits,
• Point of contact for supervisory authorities and for individuals whose data is processed
(employees, customers etc.).
• Position & Skill Set
• The DPO reports to the highest management level– i.e. board level,
• The DPO operates independently and is not dismissed or penalized for performing their task.
• Adequate resources are provided to enable DPOs to meet their GDPR obligations,
• Can be an internal employee or an external contractor,
• Should have professional experience and knowledge of data protection law.
• (Articles 37-39, 83 and Recital 97)
• Data Breach >> Loss of Data
• Data breach == event leading to the destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
• What Should I Report, Where and How Fast ?
• A breach where it is likely to result in a risk to the rights and freedoms of individuals,
• Notify the relevant supervisory authority & those concerned directly*,
• Within 72 Hours from becoming aware of,
• Failing to notify results to fines.
• Encrypted Data
• Articles 33, 34, 83 and Recitals 85, 87, 88
• Article 32 (Security of processing) specifies:
• (a) the pseudonymization and encryption of personal data;
• (b) the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
• (c) the ability to restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident;
• (d) a process for regularly testing, assessing and evaluating the effectiveness
of technical and organizational measures for ensuring the security of the
• Controllers and processors must know the location where the
personal data are stored or otherwise processed,
• Limits the ability of entities covered by the GDPR to transfer data to
recipients outside the EEA,
• In cascaded cloud environments the transfer of personal data must
comply with the data transfer rules of the GDPR,
• Controllers & Processors (incl. sub-processors) should take adequate
security measures to protect the personal data and must supervise
the implementation of security measures by the processor by
conducting regular audits.
A Draft Action Plan
Q1/17 Q2/17 Q3/17 Q4/17 Q1/18
A Draft Methodology
• Types of Data
• Specific Data
• Specific Purpose
• Change Notification
• Subject Rights
• Reconciliation of multiple mandates (Lawful Processing),
• Collaboration with Stakeholders (Data Subject Rights),
• Usage of Cloud Providers, BYOD, Consumerization,
• Codes of Conduct, Certifications, Seals and BCRs,
• SMEs and Start-ups,
• Time Restrictions & Tight Budgets.
• Skill Shortage (Data Protection Officer),
• The rise of encryption and data security technologies,
• Synergies & Collaborations,
• Additional budgets,
• New and Innovative solutions,
• Market Awareness.
• A demanding, ambitious but fair legislation aiming to the protection
of EU Citizens’ personal data worldwide,
• Applies without further consultation,
• Heavy fines involved,
• Wide manoeuvre room, Article 29 WP trying to provide further
explanations and resolve conflicts (i.e. EU-US Privacy Shield),
• Multiple Challenges and Multiple Opportunities,
• The Clock is Ticking !