4. @jakedimare 3
The basics
Definitions and key provisions
First steps
Agenda
5. @jakedimare 4
GDP . . . What?
Dell sponsored a survey of 821 IT pros globally in September 2016
80% said they have “little or no knowledge” of the GDPR
In Europe, 6% said “very familiar”
Outside of Europe, just 4%
97% said their firm does not have a plan to be in compliance
Source: http://fortune.com/2016/10/11/gdpr-dell-survey/
6. @jakedimare 5
An EU regulation governing privacy and protection of personal data
It contains substantial new or expanded requirements for the
collection, processing, and use of personal data.
After over four years of negotiations and framing, the GDPR became
law in every EU member state on 25 May 2016.
However, enforcement of the law has been suspended for two years,
until 25 May 2018.
What is the GDPR?
7. @jakedimare 6
The GDPR is “extraterritorial.”
It does not apply to a specific geography – i.e., EU states.
Rather, it applies to any company, located anywhere in the world,
that has almost anything to do with EU residents.
Specifically, companies must comply with the GDPR if any of the
following apply:
They are located in the EU
They ”offer goods or services” to EU residents
They “monitor” EU residents. (More on monitoring later. But for example, a company that
tracks browsing with a cookie may never offer goods or services, but they are
“monitoring” EU residents and must comply with the regulation.)
My company is not located in the EU – Why should I
care?
8. @jakedimare 7
The framers of the regulation specifically built in a two year transition
period, in order to give firms time to comply.
This indicates that the framers understand that significant and
disruptive changes to data processing and other business practices
are often called for by the GDPR.
Experts agree that many firms will find two years insufficient.
Firms will not be able to appeal for a “grace period” in light of the
“new” law in May 2018. The grace period is now.
May 2018? Why should I care now?
9. @jakedimare 8
EU data law is already harsh. What’s different?
“New requirements concern . . . privacy impact
assessments, privacy by design, pseudonymisation,
data breach notification, data processor obligations,
organisational accountability and data protection
officers, data protection principles, rights of
individuals; legal liability, remedies, fines; and the
roles and powers of data protection authorities.”
Source: https://www.informationpolicycentre.com/eu-gdpr-implementation.html
10. @jakedimare 9
No you won’t.
The framers recognize that current EU data protection penalties are
too small and inconsistently applied.
The GDPR specifies that fines should be ”effective” and “dissuasive”
– i.e., meant to inflict pain and to discourage repeat offenses.
Two categories of fines: Level 1 = €10m or 2% of global turnover;
Level 2 = €20m or 4% of global turnover.
In addition, privacy advocates may file civil suits, and executives
may be jailed
It’s too hard! We’ll just pay the fines.
11. @jakedimare 10
Putting the personal back into data
The GDPR does not literally subsume personal data under (private)
property law.
But practically, this is the behavior it encourages and expects.
Personal data always only belongs to the person it identifies.
You are only borrowing it. (Although you might hold it for a very long
time, it never becomes yours.)
12. @jakedimare 11
In the collection and processing of personal data (PD), the GDPR
wants you to be that good neighbor borrowing a car – responsible,
trustworthy, non-abusive.
Thus, compliance does not mean following the letter of the law (and
taking advantage of loopholes or gray areas).
Rather, it means adhering to the spirit of the law. The framers call this a
principles- and outcomes-based approach, which tries to avoid
prescriptive details.
Putting personable back into buyer-seller relations
13. @jakedimare 12
At the highest level, compliance with the GDPR means respecting the
privacy and personal data protection principles it embodies (and being
able to document and demonstrate such respect).
You cannot “innovate your way around” the GDPR – but it encourages
and wants you to innovate within and in the name of its core principles.
The regulation contains a lot of “Thou shalt nots”
But you should not think of it as a regulatory straight jacket that interferes
with your current business practices.
Rather it describes a new playing field, with new rules. The question is,
how will you adapt your behaviors in order to dominate in this new
environment?
In short:
15. @jakedimare 14
Personal data
Source: GDPR, Art. 4 para. 1.
• “Data from which a living individual is identified or identifiable, by
anyone, whether directly or indirectly and by any and all means
likely to be used.”
• Includes, beyond the obvious: location data, RFID tags, and online
identifiers such as device IDs, cookie IDs, IP addresses. (Further
clarification expected.)
• Special categories of data (aka sensitive data), such as genetic and
biometric data, sexual orientation, religion/religious belief, political
opinions, racial and ethic origin – are subject to more stringent
conditions
18. @jakedimare 17
Consent
Source: GDPR, Art. 4, para. 11.
• All consent must be unambiguous and active. No pre-checked
boxes, no designed opt-out, no implied consent by using a service
• Consent requests (T&Cs) must be “concise, transparent,
intelligible.” They must present “genuine and granular choice.” They
must spell out precisely what the data will be used for – this cannot
be general or “omnibus,” and separate consents are required for
different data processing activities.
• Consent is not transferable
• It must be as easily revoked as granted
19. @jakedimare 18
Information to be provided at data collection
the identity and the contact details of the controller and DPO
the purposes of the processing for which the personal data are intended
the legal basis of the processing.
where applicable the legitimate interests pursued by the controller or by a third party;
where applicable, the recipients or categories of recipients of the personal data;
where applicable, that the controller intends to transfer personal data internationally
the period for which the personal data will be stored, or if this is not possible, the criteria used
to determine this period;
the existence of the right to access, rectify or erase the personal data;
the right to data portability;
the right to withdraw consent at any time;
and the right to lodge a complaint to a supervisory authority;
Source: http://www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
22. @jakedimare 21
“Privacy must be embedded in every step of the process – from
the whiteboard stage of a new IT project, program, system, or
campaign, through the design, development, quality assurance,
and release of the very same system. This means that privacy
and data protection officers must partner with their IT and
business colleagues internally to gain key executive sponsorship
and cooperation with their lines of business. Privacy by Design
creates a much needed connection among the CPO, CISO, IT,
and CIO [and CMO, CDO etc].”
Data protection (aka privacy) by design
Source: http://www.avepoint.com/community/avepoint-blog/privacy-and-security-by-design-gdpr/
23. @jakedimare 22
GDPR requires a system-level response
“An organized purposeful structure that
consist of interrelated and interdependent
elements . . . that continually influence each
other to maintain their activity and the
existence of the system, in order to achieve
the goal of the system.”
26. @jakedimare 25
Act now – you should have started months ago.
Do a knowledge audit – Who needs to know about the GDPR? (From
HR to the Board of Directors) How much do they need to know? How
can we design and education/awareness campaign?
Data audit and inventory – What PD do we have (everywhere)? What
role does it play in which business processes? How important are those
processes? Prioritize and begin to determine how to revise/redesign the
process and data usage to be compliant. (Technologies, processes,
people and skills, training, partners, data transfers, etc.)
Determine which EU data protection authority (DPA) is your lead
regulator. Get in touch asap to begin submitting data processing
systems for approval.
Coming to terms with the GDPR
28. @jakedimare 27
Myth: The EU cares only about the Big Fish
The motivation is not a defense against US data giants
It is, rather, to protect the fundamental human right “to respect
for private life and the right to the protection of personal data”
(under the EU Charter of Fundamental Rights)
A one-man firm could be an egregious violator of these rights –
and fined accordingly
Facebook, Amazon, etc. arguably have it easier, due to their
direct relationship with consumers
29. @jakedimare 28
Myth: Digital marketing is exempt (1)
Recital 47 states that “direct marketing may be regarded as a
legitimate interest” and thus a legal ground for data collection
Some have concluded that “most of the business models in
place in the online industry will not require data subjects to give
their consent to the use of their data provided they stay within
the bounds of their users' reasonable expectations.”
30. @jakedimare 29
Myth: Digital marketing is exempt (2)
Such legitimate interest is always trumped (“overridden”) by the
“interests or the fundamental rights and freedoms of the data
subject.”
Recital 47 states that the assertion of such a legitimate interest
requires “careful assessment” of the consumers’ “reasonable
expectations”
Recital 70 (viz Article 22) adds: