GDPR
Transcript: General Data Protection Regulation The General Data Protection Regulation (GDPR) puts regulatory teeth into longstanding governmental guidance about how EU member states handle personally identifiable information. DEFINICTION Definiction SCOPE * organisation collects data from EU residents * data controller which is based in the EU EXCEPTIONS The following cases are not covered by the regulation: • Lawful interception, national security, the army, the police, justice • Statistical and scientific analysis • Employer-employee relationships • Processing of personal data by a natural person in the course of a purely personal or household activity * Basic identity information such as name, address and ID numbers * Web data such as location, IP address, cookie data and RFID tags * Health and genetic data *Biometric data *Racial or ethnic data *Political opinions * Sexual orientation What types of privacy data does the GDPR protect? TYPES OF DATA Who will be responsible for compliance in the comapny? data controller data processor data protection officer (DPO) The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply. DATA CONTROLLER Data controller Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. DATA PROCESSOR Data processor DPO • Informing and advising the organization • Monitoring compliance with the GDPR • Being the first point of contact for supervisory authorities and individuals DPO- DATA PROTECTION OFFICER Data Subject Rights - in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals” - should be done within 72 hours of first having become aware of the breach Breach Notification 1 confirmation as to whether or not personal data is being processed, where and for what purpose provide a copy of the personal data in an electronic format Right to Access 2 a right to erase personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data Right to be Forgotten 3 transmit the personal data which have been previously provided to another controller Data Portability 4 Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Privacy by default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. Privacy by design and by default 5 a warning in writing in cases of first and non-intentional noncompliance regular periodic data protection audits a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions (Article 83, Paragraph 4) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43 the obligations of the certification body pursuant to Articles 42 and 43 the obligations of the monitoring body pursuant to Article 41 SANCTIONS: a fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9 the data subjects' rights pursuant to Articles 12 to 22 the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49 any obligations pursuant to member state law adopted under Chapter IX noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58 or failure to provide access in violation of Article 58 SANCTIONS: