Gdpr presentation with notes

Massimo Carnevali - Creative Commons 4.0 International: BY-SA 1
GDPR
Massimo Carnevali
The material of this course is licensed under Creative
Commons 4.0 International: Attribution-Share Alike.
https://creativecommons.org/licenses/by-sa/4.0/
Where known, the sources of images used have
been quoted, for images that I have not been able
to find the source I’m available for quoting or
regularization.
Massimo Carnevali
posta@massimocarnevali.com
https://it.linkedin.com/in/massimocarnevali
"Master lock with root password" by Scott Schiller - Flickr: Master lock, "r00t"
password. CC BY 2.0 via Wikimedia Commons

Massimo Carnevali - Creative Commons License 4.0: Attribution-Share alike 2
Agenda
GDPR:
● What you need to know
● What you need to fix
● How you’ll fix it
Disclaimer:
These are my own words and opinions.
I’m not a lawyer nor am I providing legal advice.
Please treat my assertions as personal opinions and
not as legal prescriptions.

General Consideration
GDPR 679/2016
General Data Protection
Regulation
Regulation 2016/679.
It’s a set of commons rules for all EU countries.

Natural persons
Personal data
“on the protection of natural persons with regard to
the processing of personal data and on the free
movement of such data”

May 25, 2018
This regulation is already in force and deadline to be
compliant is May 25, 2018, which means that as of
May 26, 2018, sanctions may be granted for those
companies or entities that did not take all the
precautions indicated in this regulation.

Directives
vs
Regulation
“A regulation is a legal act of the European Union
that becomes immediately enforceable as law in all
member states simultaneously.
Regulations can be distinguished from directives
which, at least in principle, need to be transposed
into national law. Regulations can be adopted by
means of a variety of legislative procedures
depending on their subject matter.”
https://en.wikipedia.org/wiki/Regulation_(European_
Union)

The basic idea that led the European Union towards
the creation of this document was to provide a single
regulatory framework for the management of user
data across all EU states.
Having common legislation will allow companies
operating internationally to interfere with a single
national body for all issues related to data
management, which will lead to a reduction in costs
and complexity.
Central Data Protection Board managing a
national Data Protection Authority

Citizens?
This is a new legal infrastructure for the
management of personal data of citizens of the EU.
It does not apply to deceased persons. It applies to
European citizens' data even though they are stored/
managed abroad. The law applies both to electronic
and paper processing if the latter are structured in
archives. Not clear the border of "citizen/resident":
Art. 3.2 “This Regulation applies to the processing of
personal data of data subjects who are in the
Union” (tourist? refugee? temporary worker?)
Preambles 2, 14, 124 doesn’t help. Draft regulation
was “EU residents” ma these words were lost.
So ??

What you must do
Not how to do it
It doesn’t say: “you must buy a firewall”, it says “you
must protect your data”.

Appropriate measures
“implement appropriate technical and organizational
measures”.
Term used very often.
Appropriate related to money, technology etc.

250 employees
A little easier if you have less the 250 employees.

Collection and store
Data collected for a purpose can not be used for
another purpose. The collected data must be
adequate, relevant and limited to the minimum
necessary for the purpose (so-called minimization of
data). The archived data must be accurate and
updated, if they are not up to date you must delete
them. Data retention time, must be specified in the
consensus as to how long I will preserve them and
this retention must be defined and limited to the
time required for the treatment.
The integrity, confidentiality and availability of data
must be guaranteed.
I can only collect data to provide a service or with
explicit authorization.

Under 16
There are special considerations for the treatment of
data of children under 16 years of age.
Under discussion: how to verify the age of the
person? How to verify a parent is accepting the
rules?

Commercial activities
Professional activities
It concerns only data processing for commercial and
professional activities, therefore strictly individual
treatments are excluded. No problem, therefore, for
the personal phone book. Excludes treatments not
performed for business purposes. Beware: the
concept of "business" does not mean that if no
money circulates between the company and the
customer the GDPR does not apply. Suppose I give
you a free service and then I resell your data, I got
from this service. There is no money exchange but
my treatment is to be considered for business
purposes so GDPR applies.

Definitions
Data controller
Data controller.
Art 4(7) ‘data controller’ means the natural or legal
person, public authority, agency or other body
which, alone or jointly with others, determines the
purposes and means of the processing of personal
data
Data Controller is responsible directly and personally
to the treatments taking place in the company.
It is possible to have a contingency system to share
responsibilities and tasks.

Definitions
Data controller
Art.5 Data controller is responsible that data are:
●
processed lawfully, fairly and in a transparent
manner
●
collected for specified, explicit and legitimate
purposes
●
adequate, relevant and limited
●
accurate and, where necessary, kept up to date
●
kept for no longer than is necessary
●
processed in a manner that ensures appropriate
security
●
protected against unauthorized or unlawful
processing and against accidental loss, destruction
or damage
Data Controller must ensure that these points are
respected otherwise it is punishable.

Definitions
Data Processor
Data Processor is a natural or legal person, public
authority or agency which processes personal data
on behalf of the controller
The maximum liability in terms of infringements
remains with the data controller, but there is a
concept of solidarity between processor and
controller.

Definitions
Data Processor
The controller is detailed in Art. 28.
It must be designated by the controller and can not
designate other processors independently but may
appoint sub-processors (Art. 28 (4), must be
authorized) for specific treatment activities . There
must be a contract of some kind between controller
and processor. The controller must train the
processor. If the processor is outside the company,
the service contracts must report the compliance of
the processor's activities with the GDPR.
It has legal responsibility for its treatments.

Definitions
Data Subject
Customer, citizen, employee etc.
It is any person in the European Union in his role as
client, collaborator, user of a company, whether it is
based in the European Union or outside the
European Union. This means that GDPR also applies
to non-European companies when they handle data
from EU citizens.
As mentioned before, not clear citizenship /
residence / being there.

Definitions
Consent and information
Call an attorney.
Highest fines for wrong consent and information.

Definitions
Fines:
Up to 20M€ or 4% total
worldwide annual
turnover (higher)
Article 83 states that any sanction must be effective,
proportionate and dissuasive and will be determined
taking into account the nature, gravity and duration
of the violation, the malicious or defective nature of
the offense. Financial penalties up to € 20 million or
up to 4% of annual global turnover (the highest of
the two values apply). For public authorities the
individual countries will decide on the sanctions and
how to apply them, it is likely that there will be
direct personal responsibility of the public
executives.

Definitions
Personal data
What is a “personal data”? Obviously they are name,
surname, phone number, email, date and place of
birth etc.
The concept of personal data is, however, extended
to data that "potentially" can identify the person
(also in conjunction with other data). A few
examples: IP addresses, cookies, RFIDs, MAC
addresses, and IMEI codes can help build the
identity of the person so they can be considered
potential personal data.
No distinction is made between public and private
personal data of the data subject.

Definitions
Special categories of
personal data
(‘sensitive data’)
Art. 9 Special categories of personal data.
They are personal data about race, ethnicity, political
ideas, religion, philosophy, membership of trade
unions, health status, sexual inclinations, and new
"more modern" data categories such as genetic,
biometric, and so on.
Special data can only be processed with a specific
consent, and only if it is necessary for the execution
of the contract. The rights of the data subject are
suspended if the subject has disclosed this
information spontaneously (for example if he or she
has decided to publicly represent a party or union
and therefore declares his/her membership).

From privacy to security
Article 32
Security of processing
What guides the data controller in choosing the
technical measures to be implemented?
Reading Art. 32.
Key points of Art.32 follow.

“Taking into account the state of the art,
the costs of implementation and the
nature, scope, context and purposes of
processing ..., the controller and the
processor shall implement appropriate
technical and organisational
measures to ensure a level of security
appropriate to the risk,”
GDPR tells us what we need to take into account,
who must implement the measures and what should
be its goal.
The article continues by suggesting that encryption
or the use of aliases be used to hide data.

“the ability to ensure the
ongoing confidentiality,
integrity, availability and
resilience of processing
systems and services”
Which means that you must protect your servers and
make them redundant.

“the ability to restore the
availability and access to
personal data in a timely
manner in the event of a
physical or technical
incident”
Backup and disaster recovery.

“testing, assessing
and evaluating”
All this stuff must be tested, assessed and evaluated

Pseudonymisation
“personal data can no longer be
attributed to a specific data
subject without the use of
additional information”
I replace "Massimo Carnevali" with a psudonym and
save the conversion table separately and safely. This
mechanism is called pseudonymization. The decision
on how to proceed will result from an impact
analysis that will tell me if I have to encrypt,
pseudonymize or do nothing.
Problems with test environments.

“accidental or unlawful
destruction, loss,
alteration, unauthorised
disclosure or access”
So it is not enough to prevent an attacker from
reading them, but I must also be careful not to lose
them for a mistake or an accident.

“Adherence to an approved code of
conduct as referred to in Article 40 or an
approved certification mechanism as
referred to in Article 42 may be used as
an element by which to demonstrate
compliance”
ISO 27001

“The controller and processor shall
take steps to ensure that any natural
person acting under the authority of
the controller or the processor who
has access to personal data does
not process them except on
instructions from the controller”
So you MUST train all people.

Data Protection Officer
Art. 37 Data protection officer
Not all companies must nominate a Data Protection
Officer, it’s definitely mandatory in public authorities,
healthcare, when dealing with special / sensitive
data and in all cases where personal data is used for
systematic control (social networks, e-commerce but
also telecommunications companies).
The designation is made by the data controller and
by the data processor, his appointment must be
communicated to the authorities.

Inform, monitor, advice,
training,
NO operation or
law interpret
Inform, monitor, advice, training, NO operation or
law interpret.
If it inside the company, it must not have operational
roles in conflict with its role (no IT mgr, no HR mgr,
no CFO) and must be hierarchically high in the
corporate chain of command.
It can be a figure outside the company and in this
case it should not necessarily be dedicated but can
be shared among many companies.
It must have a mix of legal knowledge, technical
skills, organizational skills, management of control
tools and knowledge of the company's market.

➢Experience
➢Professional capacity
➢Capacity to carry out tasks
➢DPO as a service
Experience level (high complexity = higher
experience of the DPO)
Professional capacity (it must have legal,
technological, process expertise, but also deep
knowledge of the specific sector of the company or
the public administration)
Capacity to carry out tasks (focused on integrity,
ethics, culture, etc.)
DPO as a service (acquire the role of the Data
Protection Officer on the basis of a service contract)

Records of processing activities
Records of
processing activities
Art. 30
Risk analysis information collector and personal data
treatment list.
The activity log also performs a support function for
the activity of the Data Protection Officer. It should
not contain general indications but detailed
descriptions, must be kept in writing (paper or
electronic) and must be kept up-to-date. It's not
only a bureaucratic fulfillment,it is useful.

➢Description
➢Purposes
➢Data subjects categories
➢Personal data categories
➢Transfers of the data
➢Data retention
A complete version will have to be filed by the data
controller (it will contain a complete description of
the treatment, its purpose, a description of the data
subjects concerned and of the categories of personal
data, any transfer of the data itself, the duration of
data retention, etc.). A smaller version will be held
by the data processor (for example, in this release
there will be no information about the deletion of
personal data since this theme is responsibility of the
data controller).

“general description of the
technical and organisational
security measures referred to
in Article 32(1)”
For each activity there will be a “general description
of the technical and organizational security measures
referred to in Article 32(1).”
Companies under 250 employees are not required to
prepare the record of processing activities unless
they have sensitive data.
Each data controller or processor must cooperate
with the supervisory authority and must place the
record of processing activities at its disposal upon
request, so that it can serve to monitor the
treatment operations.

Data protection
Data protection by design
Data protection by default
Art. 25: data protection by design and by default.
This is a major issue because if a company or
organization is in the process of designing a software
or process, it will have to review its plans by taking
this into account in term of protection and
confidentiality. So, all projects will have to adopt
policy and technology measures to get protection
from design and security by default. For example:
minimize the processing of personal data,
pseudonymize or encrypt them as soon as possible
etc.

Data protection
“Taking into account the state of
the art, the cost ... and the nature,
scope, context and purposes of
processing as well as the risks ”
Systems will have to be designed to collect only the
minimum data needed to provide the service to the
user and these data will only be visible to those who
need it. Having adopted certified processes can be
used as a demonstration of doing the right things.
All this will have to be done: “Taking into account
the state of the art, the cost ... and the nature,
scope, context and purposes of processing as
well as the risks ”.
Actions taken must be adapted to the outline
context.

Data Breach
Data Breach
A lot of discussions about this.
Definition: “Personal Data Breach means a breach of
security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure
of, or access to, personal data transmitted, stored or
otherwise processed”.
Art. 33 – 34: 72 hours, the time when security
breaches or personal data loss will have to be
reported to the supervisory authority and, in case of
impact, also to the data subjects. It applies also to
companies under 250 employees.

Data Breach
Smartphones and
Personal Computers
encryption
In case of theft of encrypted data? If the Data
Protection Officer is able to demonstrate that the
stolen data was encrypted, it may avoid notification
of the data breach and, after evaluation by the
Control Authority, there will be no fines. The
immediate impact is obviously the encryption of
smartphones and personal computers containing
personal data, otherwise the theft of the device will
fall into the obligation to report the violation to the
authorities (as well as the allegation of theft of the
physical device).
The violation notification must follow a standard
format (still to be defined in some countries) and
include explanations of the actions taken to limit the
damage.

Data protection impact assessment
Data Protection
Impact Assessment
DPIA (Arti. 35) Should only be done in cases of
particular impact, for example, if data treatments
can pose risks to people's privacy. The output of the
analysis should be used as input for the security
process. If security results too expensive in relation
with data risk, you must have a verification by the
authority before processing the data (as explained in
Article 36). The authority may list treatments for
which it considers the impact assessment to be
always mandatory. Compliance with recognized
certifications or formal codes of conduct may replace
the impact assessment.

Data subject rights
Right to erasure
(‘right to be forgotten’)
Data subject rights (user, citizen, customer,
employee etc.).
Right to erasure (‘right to be forgotten’)
Art. 17 New and with a lot of hype recently.
The Data Subject has the right to have the data held
by the data controller erased, withdrawing consent
to their processing. As far as possible the Data
Controller will also have to remove replicas, copies,
reproductions, links, etc. of the data, which the
legislator confines within the limits of
reasonableness.
There is a backup issue.
Incompatibility with some banking and
administrative regulations (e.g. registry office, id
cards).

Data subject rights
Right to rectification
Right to rectification
Art. 16: (very short) The data controller, when
requested, must correct or supplement the data of
the data subject.

Data subject rights
Right to data portability
Art. 20. New concept!
This article will primarily affect cloud services where
the theme of total migration of data from the user to
the service provider is particularly strong. Imagine a
social network that wants to break the Facebook
monopoly, the operation could be far simpler if the
users could transfer their data with one click from
one social to another. It would be a competitive
advantage for companies but also interesting for the
user who would not be liable to life with a supplier
(the so called "vendor lock-in").

Data subject rights
(13/12/16 integration)
Data subjects have the right to have their data back
in a structured, common, readable from a computer
format. If you want, you can also request a direct
transfer of data between two owners, leaving them
the problem of interoperability.
A supplementary document has been approved on
13/12/2016, which examines the technical aspects of
interoperability between IT systems and the need to
develop applications that facilitate the exercise of
this right by the user. I personally see it as a
potential push towards the use of open data
formats, the only ones that could truly guarantee
this portability.

Data subject rights
Right of access
Right of access
Art. 15.
Data Controller must respond within a month (or at
most 3 months in particularly complex cases), must
provide the information for free or at most at a
reasonable administrative cost and, if this was
requested by the user, must provide data in an
electronic "common use format" (unclear, I think
there will be some debate). Data Controller may
refuse repeated, unfounded or excessive requests (in
the sense of large volumes of data).

Data subject rights
Right to restriction
of processing
Art. 18 Right to restriction of processing.
It is different from data deletion, it is a temporary
suspension of the data processing that remains
stored by the Data Controller (perhaps because we
are awaiting a judgment or a review by the
authority). Technically it may not be trivial because
the software must support it (and here we go back
to the theme of "Privacy by design" that must also
take into account this factor). A solution could be the
shifting of suspended data to an environment
separate from production.

Data subject rights
➢ access
➢ rectification
➢ erasure
➢ portability
➢ restriction
So, as a Data Subject I have the right:
●
To have a copy of my data
●
To correct my data in your possession
●
To delete all my data
●
To have my data in a portable format or to transfer
them between controllers
●
To stop the treatments without touching the data
As a Data Controller I must be ready to receive and
to answer to all these requests.

Data subject rights
A special data subject:
employee
Art. 88: employees as special category of Data
Subjects.
Aside from what is already written in GDPR, member
states will be able to make more specific or
restrictive jobs laws or collective bargaining
agreements on employee data management and
employee selection processes.
The employee/company relationship may then
become a particular case of the Controller/Subject
relationship.

Codes of conduct and certifications
Codes of conduct
and certifications
Art. 40 to 43 Codes of conduct and
certifications
GDPR encourages certification and the creation of
specific codes of conduct that will be publicized and
collected in a register and monitored by appropriate
authorities. Although not explicitly quoted, ISO
27001 can be identified as the top certification level,
will likely emerge more specific certifications for
cases where ISO 27001 will be too complex to
implement. To support this thesis, it can be seen
that the security structure referred to in Article 32 is
very similar to the ISO 27001 ISMS (Information
Security Management System) model.

Going outside EU
Transfers of personal
data to third countries or
international
organisations
Chapter V from Art. 44. GDPR compliance obligation
for all subjects, wherever they are located, that
address EU citizen data. This European legislation
impacts business around the world: if they use data
from EU citizens GDPR impose restrictions on the
management of these data even if data is brought
outside the EU. If you process data from EU citizens
but you are based outside the EU, you must
designate a representative within the EU. (Article
27). A multinational corporation must also guarantee
the rights of personal data that end up in foreign
locations. Very high fines for this crime.
There will be a "Central Authority", which should act
as a "one stop shop" for transnational treatments
(defined in clarification document issued on
13/12/2016).

Impact on companies
Am I involved?
In most cases the answer is yes. It's true if you are
a public administration, if you work in healthcare, if
you're dealing with special or sensitive data within
your business, if you make e-commerce or in any
situation involving a customer. If your business is
essentially B2B, you have to evaluate, personal data
can be hidden everywhere in your business: there
are employees, selection candidates, external
collaborators, employees of companies that work for
you (cleaning, catering) , your agents, distributors,
dealers, CRMs where you may also have helpful
references for those who provide assistance and
more. The first thing you must do is to understand
how you are impacted by GDPR.

Impact on companies
Aggregation of
personal data
Once the company understood all the data sitting
inside its boundaries, they must aggregate the
individual's data in one place, or in any case make it
aggregable, by linking them through all of its various
descriptions in the different company databases.
Implementing GDPR actually requires that any data
that can potentially identify an individual is included
in this unique vision.

Impact on companies
Link data to processes
The company must create a link between all the
individual data (however distributed in the
databases) and the processes to which they are
subject. This is crucial to have the control of the
consensus chain that the individual has given, or to
be able to alert him when the purpose of managing
a data changes, or even to alert him in the event of
a violation of the data (as expected in some
situations: Articles 33 and 34).

Impact on companies
"Goal achieved"
Companies must add a "goal achieved" flag to your
personal data. GDPR says that personal data should
only be used for a specific purpose, the one for
which consent was given. Once that goal is reached,
the data in question should no longer be retained by
the Data Controller. Business applications must have
delete options that reach the granularity level of the
individual and its single data. If my data are involved
in multiple treatments, when everyone has the "goal
achieved" flag equal to true, Data Controller must
delete them.

Impact on companies
Right to restriction
of processing
The possibility for the Data Subject or for the
authority to request a suspension of treatments
implies a revision of current applications by providing
a mechanism for identifying the data to be
suspended and a means for freezing them in the
current state.

Impact on companies
Data protection by design
Data protection by default
As for the activation of new software, processes, or
treatments, you will have to take into account the
new security requirements from design and security
by default, which will definitely have a significant
impact on the companies.

Impact on companies
Contracts with
external suppliers
Also management of outsourcing contracts, cloud
services etc. should be updated by verifying that the
companies that provide the services perform the
processing of the data in accordance with the new
regulations.

Impact on companies
Shared roadmap
The roadmap towards compliance with GDPR it’s not
only “IT stuff”, it is a journey that impacts on
business strategies. There will be many questions to
be asked and the answers will come from different
sectors of the company. You will need to understand
why certain data is collected, why they are stored
instead of being deleted, what data collect your
applications, if all are needed to deliver the services,
what is the purpose of all these treatments, and so
on. These are not (only) IT questions.
But above all, the fundamental question: is the cost
of encryption, anonymisation or data protection still
worth it?

Roadmap towards GDPR
Company roadmap
towards GDPR
This is just a simple list of considerations to be
customized on company needs. Even the sequence
of points is not strictly timely, since many themes
could be implemented in parallel.

Awareness and training
Awareness / training
The starting point is to build an awareness of the
topic of data security within the company, which is
always useful even outside the GDPR roadmap.
Training should involve at least the decision makers
and the operating part of the company and focus on
the meaning and impact of this new legislation.

Among the first things to do, of course, will be to
identify the figure of the Data Protection Officer, if
the law requires it for the company, assessing
whether to use an internal figure, appropriately
inserted in the organizational chart, or whether to
contact a consultant or involve an external company.

Data Audit: find all the
data inside the
company
Data Audit – find all the data inside company?
The starting point of this path is the search for all
personal data within the company through a "Data
Audit". Each data group will need to identify the
treatments with its responsible, how to store and
use them, and what should be done on those data
to comply with GDPR. If the data is exchanged with
the outside, appropriate verification and information
procedures must be put in place.

Analyze data collection
processes
How do I collect data?
The current data collection processes must be
analyzed, verifying on a case-by-case basis that
business needs and legitimate reasons for the
collection are clearly identified.
Be sure to verify that all processes comply with
GDPR.

Breach Notification
Breach Notification
As required by the law, a cybersecurity accident plan
should be established, with particular regard to data
breaches. The plan will have to involve the entire
company so you can be sure that information can
circulate effectively, accurately and with the least
possible damage to your organization. This point is
not purely technological, it involves human
resources, marketing, external relations and, of
course, top management. Once the plan has been
set up, it must be tested with specific simulations.

Violations of consensus and information trigger the
maximum fines provided by the GDPR. It is
necessary that the company handles current
procedures by reviewing them in detail and updating
them to the requirements of the GDPR. On this
point, strong legal support is absolutely necessary.
One must identify and explain, for example, the legal
bases that a treatment is being carried out.

Data Subjects rights
Data subjects rights
Data Subjects have strong access rights to their
data. The task of the company is to provide the
appropriate tools that allow the user to exercise
these rights. Simple and fast procedures must be set
up to allow users to access their data, ask for
correction or deletion, to request a copy in a
commonly used electronic format and to request
transfer to another Data Controller. Beware of
response time within 30 days (internal procedures,
processes, etc.) and remember that you cannot
charge the user.

Data protection by design e
by default
Data protection by design e by default
As already mentioned above, data protection by
design and by default will involve reviewing
procedures, processes, and software to verify that
they are designed with data protection in mind.

Privacy Impact Assessment
Run a Privacy Impact Assessment
By May 2018, companies must activate a privacy
impact assessment process that helps them to
identify and to minimize privacy risks in projects and
policies. The first execution will of course be the
most complex and will serve as input for DPO's
work. Later you can proceed with periodic checks by
working for differences. It's not always compulsory
to do a PIA but it is still convenient and needs to be
done in case of potentially dangerous situations.

Review of contracts
Review of contracts
Companies will have to review and integrate all
service contracts that involve the processing or
retention of personal data. Specific clauses on
adherence to the new legislation, allocation of
responsibilities and control of any subcontracts
should be introduced. Specific “Privacy Level
Agreements” must be negotiated.

Technology
Technology
Companies will also have to review all the
technological questions to see if the technologies in
the company are adequate to protect themselves
from internal and external attacks.

Internationalization
Internationalization
If the company operates internationally, all relevant
assessments of the positioning of data and their
movements should be made (especially if these
movements involve countries outside the European
Union). Also in case of companies with head offices
in more than one EU country, the national authority
should be identified as a single reference for the
GDPR.

Sample timeline
http://www.2twenty4consulting.com/gdpr-workshop
/4593148456

Data Flow sample.
https://www.linkedin.com/pulse/gdpr-data-flow-map
ping-approach-tim

Massimo Carnevali
posta@massimocarnevali.com
www.linkedin.com/in/massimocarnevali

Gdpr presentation with notes

More Related Content

What's hot (20)

Similar to Gdpr presentation with notes (20)

More from Massimo Carnevali (20)

Recently uploaded (20)

Gdpr presentation with notes