SlideShare a Scribd company logo

GDPR, Data Privacy.

Download as PPTX, PDF
L
Liviu Claudiu Cismaru

The document provides an overview of the main requirements of the General Data Protection Regulation (GDPR). It discusses definitions of personal data, genetic data, biometric data, and health data according to the GDPR. It also summarizes nine key GDPR requirements regarding the controller vs processor roles, right to erasure, consent requirements, right of access, right to data portability, data breach reporting, record keeping, data protection by design/default, and security of processing. The document further discusses data governance topics such as data collection, consent, anonymization/pseudonymization, right to be forgotten, data access control, and data export requirements.

Data & Analytics
Related topics:
Data Governance Insights Risk-Management Data Privacy
1 of 32
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
© 2016 VMware Inc. All rights reserved. Liviu Cismaru Date GDPR Main Requirements Liviu Cismaru 2017
GDPR, Chapter 1, Article 1 CONFIDENTIAL 2 CHAPTER I General provisions Article 1 Subject-matter and objectives 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. 3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Enabling Strategic Goals 3 Security DataCenters Cloud Strategic Goals Risk Manage ment Operations Security & Data Governance Legal, Data Governance, Security
GDPR Requirements Background: Data Types 4 1. Article 4 - https://www.privacy-regulation.eu/en/4.htm ’Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 'genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; 'biometric data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; 'data concerning health' means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
GDPR Requirements 5 1. Controller vs Processor. (Art 24) 2. ‘Right to be forgotten’ / Right to Erasure. (Art 17) 3. Consent; Opt-Out / Opt-In. (Art 7) 4. Right of Access by the Data Subject / Access Control. (Art 15) 5. Right to Data Portability / Data Export. (Art 20) 6. Data Breach Alerts. (Art 33, Art 34) 7. Maintain Records of Processing Activity. Transfer of Data to a Third Party. (Art 30) 8. Data Protection by Design and by Default. (Art 25) 9. Security of processing. (Art 32)
GDPR Requirements – Controller vs Processor 6 1. Controller = the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 2. Processor = a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
GDPR Requirements – Right to be Forgotten / Right to Erasure 7 1. Article 17 - https://www.privacy-regulation.eu/en/17.htm “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay ….”
GDPR Requirements – Consent. Opt-out 8 1. Article 7 - https://www.privacy-regulation.eu/en/7.htm Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes.
GDPR Requirements – Right of Access by the Data Subject 9 1. Article 15 - https://www.privacy-regulation.eu/en/15.htm • The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: • (a) the purposes of the processing; • (b) the categories of personal data concerned; • (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; • (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; etc …
GDPR Requirements – Right to Data Portability / Data Export 10 1. Article 20 - https://www.privacy-regulation.eu/en/20.htm The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided
GDPR Requirements – Data Breach Alerts 11 1. Article 33 - https://www.privacy-regulation.eu/en/33.htm 2. Article 34 - https://www.privacy-regulation.eu/en/34.htm In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority …
GDPR Requirements – Maintain Records of Processing Activity 12 1. Article 30 - https://www.privacy-regulation.eu/en/30.htm Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (a)the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; (b)the purposes of the processing; (c)a description of the categories of data subjects and of the categories of personal data; (d)the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; (e)where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization
GDPR Requirements – Data Protection by Design & by Default 13 1. Article 25 - https://www.privacy-regulation.eu/en/25.htm The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. …
GDPR Requirements – Security of Processing 14 1. Article 32 - https://www.privacy-regulation.eu/en/32.htm The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:(a) the pseudonymisation and encryption of personal data;(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Data Governance
Data Governance 16 User Data Flow Inbound Channels – Self Registration (CRM, DBs?) – Sales Organization (CRM, DBs?) – Marketing Organization (CRM, DBs?) – APIs i.e. oAuth, SSO. (DBs, CRM ?) – Partners / Third Parties (DBs, CRM ?) – Banks (DBs, CRM ?) Outbound Channels – Alerts • Data Breach Alerts – Reports • Access Report (Who, What) • Location Report (Where) – Data Export
Data Governance 17 Self Registration Sales Organization Marketing Organization APIs Third Parties Banks CRM MDM DBs DBs DBs DBs DBs LogsConfig Binary Security, Monitoring, Data Breach Alerts Reports Customers Alerts Reports Data Export Data Export
Data Governance 18 Data Collection 1. Does the Service allow user Create/Edit/Delete ? 2. Is Personal Data (PD) Collected ? 3. Same for Genetic Data (GD), Biometric Data (BD), Health related Data (HD). 4. Through what channel does every data type above come in ? 5. Re all data types above: what is the Data Flow between the Source (i.e. CRM, Registration Form) and the Destination (i.e. DB Tables, Unstructured, etc). Where is PD stored? 6. Is the Data above exposed through APIs, synchronous or asynchronous messaging systems, backups, batch transfers, etc, to systems out of the boundaries of your service ? CRM
Data Governance 19 Consent 1. Does the Service allow the user to Opt Out and Opt In within a reasonable time interval ? 2. Does your Service rely on any central / external Opt Out / Opt In system ? 3. Does your Service provide access to VMware's TOS (Terms of Services) agreement ? CRM
Data Governance 20 Anonymization & Pseudonymization 1. Does the Service convert PD into anonymized or pseudonymized data ? 2. If Anomymization, describe. Source, Destination ? 3. If Pseudonymization, describe. Source, Destination ? CRM
Data Governance 21 “Right to be Forgotten” 1. Does the Service provide a mechanism to delete all the PD ? 2. Does the Service provide a mechanism to delete all the pseudonymized data or disable the connection to PD in a way that the profile of a natural person can not be reconstructed based on that pseudonymized data ? CRM
Data Governance 22 Data Access Control 1. Does the Service provide a mechanism to report who has access to PD ? 2. Is the monitoring continuous ? CRM
Data Governance 23 Data Export 1. Does the Service provide a mechanism to identify and create an archive of all Personal Data that belongs to a certain user ? 2. Describe the Data Export mechanism (i.e. file format, access, etc.) CRM
Data Governance 24 Data Breach Monitoring and Reporting 1. Does the Service provide a mechanism to monitor for Data Breaches ? 2. Can this monitoring mechanism provide alerts in a timely manner, so the customer is made aware of the data breach within 72h from detection ? CRM
Security
Security 26 Data Security 1. How is PD made secure at rest ? 2. How is PD made secure in transit ? CRM
Risk Management
Risk Management 28 Subtitle is Arial 18 pt
Risk Management 29 Continuous Aspect 1. Is your Service part of a Continuous Risk Assessment program ? 2. Does your Service report the impact that a threat / failure could have on your business, based on standard metrics (i.e. financial, # of users, brand value, etc.)
Risk Management 30 Heat Map
Risk Management 31 Heat Map 1. Does your Service provide input to be incorporated into a heat map, based on Impact and Probability ?
Thank You

More Related Content

PDF
GDPR for public sector DPO's seminar, April 2018, Manchester
Browne Jacobson LLP
 
PDF
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson LLP
 
PDF
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
PDF
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
PDF
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
PDF
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Michael Adamberry
 
PDF
GDPR - are you ready for the challenge?
Sage HR
 
PPTX
Presentation on GDPR
DipanjanDey12
 
GDPR for public sector DPO's seminar, April 2018, Manchester
Browne Jacobson LLP
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson LLP
 
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Michael Adamberry
 
GDPR - are you ready for the challenge?
Sage HR
 
Presentation on GDPR
DipanjanDey12
 

What's hot (20)

PPTX
EU data protection and security update COCIR annual meeting 2016
Erik Vollebregt
 
PDF
EFA Skillshare - Jitty van Doodewaerd
Patrick Jordens
 
PDF
Overview of the Egyptian Personal Data Protection Law
FatmaAkram2
 
PPTX
GDPR: The Catalyst for Customer 360
DataStax
 
PDF
Personal Data Protection Bill 2018
Nanda Mohan Shenoy
 
PDF
GDPR Overview
Trish McGinity, CCSK
 
PDF
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
PPTX
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
PDF
GDPR and Analytics
brunomase
 
PPTX
Intercity technology - GDPR your training toolkit
joshquarrie
 
PDF
GDPR – Readiness in IT offshore organization
Vishnuvarthanan Moorthy
 
PDF
Overview on data privacy
Amiit Keshav Naik
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PDF
Data privacy and digital strategy
Prof. Jacques Folon (Ph.D)
 
PPT
Guernsey Data Protection Legislation
jonbarclay
 
PDF
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Michael Adamberry
 
PPTX
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
GDPR Summary
Martyn Ripley
 
PPTX
EU Medical Device Clinical Research under the General Data Protection Regulation
Erik Vollebregt
 
PDF
Regulation (EU) 2016_679_GDPR_Overview_June 2016
John Greenwood
 
EU data protection and security update COCIR annual meeting 2016
Erik Vollebregt
 
EFA Skillshare - Jitty van Doodewaerd
Patrick Jordens
 
Overview of the Egyptian Personal Data Protection Law
FatmaAkram2
 
GDPR: The Catalyst for Customer 360
DataStax
 
Personal Data Protection Bill 2018
Nanda Mohan Shenoy
 
GDPR Overview
Trish McGinity, CCSK
 
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
GDPR and Analytics
brunomase
 
Intercity technology - GDPR your training toolkit
joshquarrie
 
GDPR – Readiness in IT offshore organization
Vishnuvarthanan Moorthy
 
Overview on data privacy
Amiit Keshav Naik
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Data privacy and digital strategy
Prof. Jacques Folon (Ph.D)
 
Guernsey Data Protection Legislation
jonbarclay
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Michael Adamberry
 
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR Summary
Martyn Ripley
 
EU Medical Device Clinical Research under the General Data Protection Regulation
Erik Vollebregt
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
John Greenwood
 
Ad

Similar to GDPR, Data Privacy. (20)

PPTX
GDPR: Protecting Your Data
Ulf Mattsson
 
PPTX
GDPR
Gopi PD
 
PDF
GDPR 11/1/2017
isc2-hellenic
 
PPTX
EU GDPR (training)
Elizabeth Baker, JD, CRCMP
 
PDF
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
Cyber Watching
 
PPTX
GDPR and eHealth for the pharma industry (VFenR presentation)
Erik Vollebregt
 
PDF
DATA PRIVACY
Prof. Jacques Folon (Ph.D)
 
PPTX
#CyberSafeLambeth
The Integrate Agency CIC
 
PPTX
Managing Data Protection guide powerpoint presentation
silvereyez11
 
PPT
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 
PPTX
Niall Rooney FD Event 05.09.19
Niall Rooney
 
PDF
AI, Blockchain, IoT GDPR Compliance AT A Glance
Alex G. Lee, Ph.D. Esq. CLP
 
PDF
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
Prof. Jacques Folon (Ph.D)
 
PPTX
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
PDF
Esc gdpr oct 2018
Prof. Jacques Folon (Ph.D)
 
PDF
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
JakeAldrinDegala1
 
PPTX
My presentation- Ala about privacy and GDPR
zayadeen2003
 
PPTX
General Data Protection Regulation or GDPR
Nupur Samaddar
 
PPTX
Are You GDPR Ready?
NICSA
 
GDPR: Protecting Your Data
Ulf Mattsson
 
GDPR
Gopi PD
 
GDPR 11/1/2017
isc2-hellenic
 
EU GDPR (training)
Elizabeth Baker, JD, CRCMP
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
Cyber Watching
 
GDPR and eHealth for the pharma industry (VFenR presentation)
Erik Vollebregt
 
DATA PRIVACY
Prof. Jacques Folon (Ph.D)
 
#CyberSafeLambeth
The Integrate Agency CIC
 
Managing Data Protection guide powerpoint presentation
silvereyez11
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 
Niall Rooney FD Event 05.09.19
Niall Rooney
 
AI, Blockchain, IoT GDPR Compliance AT A Glance
Alex G. Lee, Ph.D. Esq. CLP
 
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
Prof. Jacques Folon (Ph.D)
 
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
Esc gdpr oct 2018
Prof. Jacques Folon (Ph.D)
 
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
JakeAldrinDegala1
 
My presentation- Ala about privacy and GDPR
zayadeen2003
 
General Data Protection Regulation or GDPR
Nupur Samaddar
 
Are You GDPR Ready?
NICSA
 
Ad

Recently uploaded (20)

PPTX
Business Acumen Training GuidePresentation.pptx
stephvshelton19
 
PPTX
iec ppt-1 pptx icmr ppt on rehabilitation.pptx
thirishadevan81
 
PDF
Launch Your Data Science Career in Kochi – 2025
sharafas2563
 
PPTX
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
PDF
.pdf is not working space design for the following data for the following dat...
jerinjoy242
 
PDF
168300704-gasification-ppt.pdfhghhhsjsjhsuxush
sriram270905
 
PDF
Foundation of Data Science unit number two notes
sanguleumeshit
 
PPT
Chapter 3 METAL JOINING.pptnnnnnnnnnnnnn
JanakiRaman206018
 
PDF
Mega Projects Data Mega Projects Data
saidsalah8181
 
PPTX
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
PPTX
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
PPTX
Supervised vs unsupervised machine learning algorithms
agarwal18harsh08
 
PPTX
Moving the Public Sector (Government) to a Digital Adoption
PaulYoung221210
 
PPTX
MODULE 8 - DISASTER risk PREPAREDNESS.pptx
AceAquino4
 
PPTX
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
PPTX
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
PDF
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
PDF
“Getting Started with Data Analytics Using R – Concepts, Tools & Case Studies”
Nusrat Gulbarga
 
PDF
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
PPTX
ALIMENTARY AND BILIARY CONDITIONS 3-1.pptx
chepkoitcheruiyot
 
Business Acumen Training GuidePresentation.pptx
stephvshelton19
 
iec ppt-1 pptx icmr ppt on rehabilitation.pptx
thirishadevan81
 
Launch Your Data Science Career in Kochi – 2025
sharafas2563
 
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
.pdf is not working space design for the following data for the following dat...
jerinjoy242
 
168300704-gasification-ppt.pdfhghhhsjsjhsuxush
sriram270905
 
Foundation of Data Science unit number two notes
sanguleumeshit
 
Chapter 3 METAL JOINING.pptnnnnnnnnnnnnn
JanakiRaman206018
 
Mega Projects Data Mega Projects Data
saidsalah8181
 
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
Supervised vs unsupervised machine learning algorithms
agarwal18harsh08
 
Moving the Public Sector (Government) to a Digital Adoption
PaulYoung221210
 
MODULE 8 - DISASTER risk PREPAREDNESS.pptx
AceAquino4
 
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
“Getting Started with Data Analytics Using R – Concepts, Tools & Case Studies”
Nusrat Gulbarga
 
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
ALIMENTARY AND BILIARY CONDITIONS 3-1.pptx
chepkoitcheruiyot
 

GDPR, Data Privacy.

  • 1. © 2016 VMware Inc. All rights reserved. Liviu Cismaru Date GDPR Main Requirements Liviu Cismaru 2017
  • 2. GDPR, Chapter 1, Article 1 CONFIDENTIAL 2 CHAPTER I General provisions Article 1 Subject-matter and objectives 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. 3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
  • 3. Enabling Strategic Goals 3 Security DataCenters Cloud Strategic Goals Risk Manage ment Operations Security & Data Governance Legal, Data Governance, Security
  • 4. GDPR Requirements Background: Data Types 4 1. Article 4 - https://www.privacy-regulation.eu/en/4.htm ’Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 'genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; 'biometric data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; 'data concerning health' means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
  • 5. GDPR Requirements 5 1. Controller vs Processor. (Art 24) 2. ‘Right to be forgotten’ / Right to Erasure. (Art 17) 3. Consent; Opt-Out / Opt-In. (Art 7) 4. Right of Access by the Data Subject / Access Control. (Art 15) 5. Right to Data Portability / Data Export. (Art 20) 6. Data Breach Alerts. (Art 33, Art 34) 7. Maintain Records of Processing Activity. Transfer of Data to a Third Party. (Art 30) 8. Data Protection by Design and by Default. (Art 25) 9. Security of processing. (Art 32)
  • 6. GDPR Requirements – Controller vs Processor 6 1. Controller = the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 2. Processor = a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • 7. GDPR Requirements – Right to be Forgotten / Right to Erasure 7 1. Article 17 - https://www.privacy-regulation.eu/en/17.htm “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay ….”
  • 8. GDPR Requirements – Consent. Opt-out 8 1. Article 7 - https://www.privacy-regulation.eu/en/7.htm Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes.
  • 9. GDPR Requirements – Right of Access by the Data Subject 9 1. Article 15 - https://www.privacy-regulation.eu/en/15.htm • The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: • (a) the purposes of the processing; • (b) the categories of personal data concerned; • (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; • (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; etc …
  • 10. GDPR Requirements – Right to Data Portability / Data Export 10 1. Article 20 - https://www.privacy-regulation.eu/en/20.htm The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided
  • 11. GDPR Requirements – Data Breach Alerts 11 1. Article 33 - https://www.privacy-regulation.eu/en/33.htm 2. Article 34 - https://www.privacy-regulation.eu/en/34.htm In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority …
  • 12. GDPR Requirements – Maintain Records of Processing Activity 12 1. Article 30 - https://www.privacy-regulation.eu/en/30.htm Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (a)the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; (b)the purposes of the processing; (c)a description of the categories of data subjects and of the categories of personal data; (d)the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; (e)where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization
  • 13. GDPR Requirements – Data Protection by Design & by Default 13 1. Article 25 - https://www.privacy-regulation.eu/en/25.htm The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. …
  • 14. GDPR Requirements – Security of Processing 14 1. Article 32 - https://www.privacy-regulation.eu/en/32.htm The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:(a) the pseudonymisation and encryption of personal data;(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  • 16. Data Governance 16 User Data Flow Inbound Channels – Self Registration (CRM, DBs?) – Sales Organization (CRM, DBs?) – Marketing Organization (CRM, DBs?) – APIs i.e. oAuth, SSO. (DBs, CRM ?) – Partners / Third Parties (DBs, CRM ?) – Banks (DBs, CRM ?) Outbound Channels – Alerts • Data Breach Alerts – Reports • Access Report (Who, What) • Location Report (Where) – Data Export
  • 17. Data Governance 17 Self Registration Sales Organization Marketing Organization APIs Third Parties Banks CRM MDM DBs DBs DBs DBs DBs LogsConfig Binary Security, Monitoring, Data Breach Alerts Reports Customers Alerts Reports Data Export Data Export
  • 18. Data Governance 18 Data Collection 1. Does the Service allow user Create/Edit/Delete ? 2. Is Personal Data (PD) Collected ? 3. Same for Genetic Data (GD), Biometric Data (BD), Health related Data (HD). 4. Through what channel does every data type above come in ? 5. Re all data types above: what is the Data Flow between the Source (i.e. CRM, Registration Form) and the Destination (i.e. DB Tables, Unstructured, etc). Where is PD stored? 6. Is the Data above exposed through APIs, synchronous or asynchronous messaging systems, backups, batch transfers, etc, to systems out of the boundaries of your service ? CRM
  • 19. Data Governance 19 Consent 1. Does the Service allow the user to Opt Out and Opt In within a reasonable time interval ? 2. Does your Service rely on any central / external Opt Out / Opt In system ? 3. Does your Service provide access to VMware's TOS (Terms of Services) agreement ? CRM
  • 20. Data Governance 20 Anonymization & Pseudonymization 1. Does the Service convert PD into anonymized or pseudonymized data ? 2. If Anomymization, describe. Source, Destination ? 3. If Pseudonymization, describe. Source, Destination ? CRM
  • 21. Data Governance 21 “Right to be Forgotten” 1. Does the Service provide a mechanism to delete all the PD ? 2. Does the Service provide a mechanism to delete all the pseudonymized data or disable the connection to PD in a way that the profile of a natural person can not be reconstructed based on that pseudonymized data ? CRM
  • 22. Data Governance 22 Data Access Control 1. Does the Service provide a mechanism to report who has access to PD ? 2. Is the monitoring continuous ? CRM
  • 23. Data Governance 23 Data Export 1. Does the Service provide a mechanism to identify and create an archive of all Personal Data that belongs to a certain user ? 2. Describe the Data Export mechanism (i.e. file format, access, etc.) CRM
  • 24. Data Governance 24 Data Breach Monitoring and Reporting 1. Does the Service provide a mechanism to monitor for Data Breaches ? 2. Can this monitoring mechanism provide alerts in a timely manner, so the customer is made aware of the data breach within 72h from detection ? CRM
  • 26. Security 26 Data Security 1. How is PD made secure at rest ? 2. How is PD made secure in transit ? CRM
  • 29. Risk Management 29 Continuous Aspect 1. Is your Service part of a Continuous Risk Assessment program ? 2. Does your Service report the impact that a threat / failure could have on your business, based on standard metrics (i.e. financial, # of users, brand value, etc.)
  • 31. Risk Management 31 Heat Map 1. Does your Service provide input to be incorporated into a heat map, based on Impact and Probability ?