GDPR 101
1 like471 views
The document outlines the General Data Protection Regulation (GDPR), established in 2016, which governs data privacy for EU citizens and requires organizations to protect personal data. Key provisions include the rights of data subjects such as access, correction, and the right to be forgotten, along with the responsibilities of data controllers and processors. Non-compliance can incur significant fines, and organizations must adhere to strict data protection measures and notify authorities of any data breaches within specified timeframes.
GDPR 101
- 1. GDPR 101 Anubhav Dhiman | Feb 12, 2018
- 2. Few definitions Data Privacy: The relationship between collection and dissemination of data, technology, public expectation of privacy, and the legal and political issues surrounding them Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signifies agreement to the processing of personal data relating to them Personal Data: Any information relating to an identifiable natural person - such as a name or an identification number - or to one or more factors specific to the identity of that person Processing - Any operation performed on personal data, such as collection, storage, alteration , retrieval, erasure, or destruction Regulation: A rule made and maintained by an authority across the EU Directive: A rule made and maintained by an authority for EU countries to enact
- 3. GDPR: General Data Protection Regulation GDPR is a regulation created in 2016. It contains 99 articles covering basic data privacy for all European Union citizens. This regulations requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the EU EU Privacy History 2000 Safe Harbor Privacy Principles Deprecated Oct 2015 July 2016 Privacy Shield Industry agreement May 2018 GDPR EU law
- 4. What's in Scope? Organizations in Scope ● All sectors/ industries ● SMB and large enterprises Data in Scope ● Personal data of natural persons ● Both automated and manual systems Data Exclusions ● Natural persons who are not EU citizens ● National security activities Objectives of GDPR 1. Protect the privacy rights 2. Uniform regulation across EU 3. Define/ widen the scope of PII 4. Uniform cross border data transfers 5. Address the online data privacy concerns 6. Facilitate the economic activities with uniform privacy requirements 7. Harmonize the regulatory oversight
- 5. When must organizations be ready? ● GDPR adopted by EU parliament: 14 April 2016 ● Applies in all EU member states: 25 May 2018 Compliance: Companies must provide a ‘reasonable’ level of protection for personal data What happens if an organization misses the deadline? Non-compliance or breach: Governing body has discretion for assessing a fine for data breaches and non-compliance Fines: ● Lower Limit: 2% of a company’s annual revenue or €10 million ● Upper Limit: 4% of a company’s annual revenue or €20 million
- 6. Data Controller and Processor Data Controller: Authority which alone or jointly determines the purpose and means of processing personal data Tasks: ● Compliance ● Inform (data details) ● Implement technical measures ● Written agreements with processors Data Processor: Authority which processes personal data on behalf of the controller Tasks: ● Record processing operations ● Implement security measures ● Inform of any data breach ● Appoint a data protection officer(DPO) as required
- 7. Article 15: Right of Access 1. Access requests: Free of charge (exception: repetitive requests) 2. Data subjects can request a copy: any personal data being processed 3. Categories of information: Expanded with GDPR; includes data retention, existence of, and provider of data Article 16: Right of Correction 1. Data subjects can request correction: any personal data that is inaccurate or incomplete 2. Erasure or correction: controllers are accountable for these tasks 3. Timing for requests: one month, extensions available 4. Organizations must provide a complaint process for denied requests Article 17: Right to be forgotten Data subjects are entitled to require deletion if continued processing is no longer justified Scenarios allowing for erasure: ● Purpose ● Consent ● Objection ● Lawfulness ● Compliance
- 8. Article 20: Right of Portability Data subjects are entitled to transfer their personal data between controllers. Portability rights of the data subjects 1. Copies: A copy of their personal data in a machine-readable and reusable format 2. Transfer: Transferring data from one controller to another 3. Storage: Storage of their data on a personal device 4. Transmission: Having data transmitted directly between controllers Article 21: Right to object Only applies when the lawful basis is public interest or legitimate interest Controller must cease processing with only two exceptions. 1. Requirement: The controller requires the processing to establish, exercise, or defend legal rights 2. Grounds: There is a compelling, legitimate ground for processing that overrides the data subject’s interests. Article 8: Children under 16 Requires parental consent or information services offered directly to children under the age of 16 Member states can individually set this age as low as 13 1. Protection: Children merit specific protection. All information must be child-friendly 2. Language: Information provided must be concise, transparent, and in plain language.
- 9. Article 24: Responsibility of the controller 1. Implement technical and organizational measures. 2. Consider nature, scope, context, and purpose. 3. Implement a data protection policy. 4. Develop and approve a code of conduct. Article 28: Data processor 1. Implement security measures 2. Use of Subprocessors 3. Contracts with Controller 4. Process only data in scope Article 32: Technical measures 1. Anonymize and Encrypt Personal data: Must be unreadable if spilled or stolen 2. Confidentiality, Integrity, Availability (CIA): Resilience of processing systems and services 3. Ability to restore: In case of physical or technical incident, availability and access must be restored 4. Regular testing and evaluation: Ensure the security of the processing measures
- 10. Notification If a data breach is likely to result in a risk to the rights and freedoms of natural persons, you must notify, including the supervisory authority. Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed Notifying data subjects: Must notify without undue delay; in clear and plain language of the nature of breach. Supervisory authority: 1. 72 hours from becoming aware a. Aware = when data processor notices a breach b. Exception = won't result in risk to subjects’ rights 2. If not within 72 hours, an explanation is required