Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection regulation (GDPR)

Published byWilfrid Collins Modified over 5 years ago

Similar presentations

Presentation on theme: "General Data Protection regulation (GDPR)"— Presentation transcript:

1 General Data Protection regulation (GDPR)
An introduction February 2018

2 Topics covered We only have 10 minutes Where did GDPR come from?   What is GDPR? Who does it apply to? Why should you care? Details of a follow on event Like it, or not, European citizens are getting more insight into the collection and use of their personal data

3 Where did GDPR come from?
Brief History Was adopted April 27, 2016 Applies directly to all Member States of the European Union (“EU”) to serve as a single, overarching regulation Repeals its predecessor, the EU Data Protection Directive 95/46/EC Introduced to advance and uphold the fundamental data protection and privacy rights of individuals “Personal data”* means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier: Name; Identification number; Location data; Online identifier (e.g., address); Physical and/or physiological; Genetic; Economic; Cultural or ethnic

4 What is GDPR? The EU’s General Data protection Regulation
The objective of the GDPR is harmonization of EU regulations to enhance the rights of EU citizens to govern the privacy of their personal information and ensure organizations provide the right protections. The GDPR applies to EU and non-EU organizations that: offer goods or services to EU residents; monitor the behavior of EU residents The GDPR effective date: May 25, 2018 Penalties: Up to 20,000,000 EUR or 4% worldwide revenue from the previous fiscal year (Article 83). Fines are determined by the Data Protection Authority (Supervisory Authority). “Personal data”* means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier: Name; Identification number; Location data; Online identifier (e.g., address); Physical and/or physiological; Genetic; Economic; Cultural or ethnic

5 GDPR overview Key Concepts
Principles, privacy, and protection represent the core focus for GDPR readiness. Organizations must focus on adhering to principles, implementing processes to satisfy privacy rights of the individual, and securing data. Principles Data processed lawfully, fairly, and transparently Only collect personal data needed Accuracy of personal data must be maintained Minimize the time data is kept in a form to identify data subjects Maintain the confidentiality and integrity of personal data Privacy (rights of data subjects) Transparent information, communication and modalities for the exercise of the rights of the data subject Information to be provided where personal data are collected from the data subject Right of access by the data subject Right to rectification Right to erasure (‘right to be forgotten’) Right to restriction of processing Right to data portability Protection (controllers and processors) Data Protection Officer (DPO) Data protection by design Records of processing activities Security of processing Notification of a personal data breach to the supervisory authority Communication of a personal data breach to the data subject Data protection impact assessment Code of conduct Security of processing – anonymization and psuedonymization represent additional security requirements (potentially) Data processed lawfully: consent obtained, processing conducted in accordance with stated purpose, and complies with GDPR Code of conduct establishes readiness with GDPR. Communicates how the organization will comply and manage risk. 'cross-border processing' means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

6 GDPR overview Key considerations
GDPR readiness can be complex for some organizations. Leadership should begin to prepare the organization for the journey. Key is establishing the DPO role, as required (internal or external) Understand GDPR relevant processing activities Gain clarity on the organization’s responsibility and risk Complying with rights of the individual is not trivial – business processes, service desk, and technology impacts. Factor effort into 2018 budget – resource impact is key consideration (assuming good security practices). Processor assessment is key – liability isn’t shifted to the processor Certification is not defined and is not required. DPA (supervisory authority) will assign certification bodies and certification guidelines. Move forward with readiness while tracking DPA guidance. Joint Controllers and data ownership – how does this work Cross-border traffic – where does it apply and what are the implications Data subjects ability to withdraw consent – what’s the impact Certification w/ Supervisor Authority Anonymization of personal data – blurring/fuzzing of non-data subjects in video and other media Customers leaving the platform – how does this work and what are the implications Records of processing Activities (Article 30 (5)) - applicability to dscout. How to handle Privacy Policy separate from agreeing to TOS?

7 GDPR overview misperceptions
Understanding GDPR requirements can be complex. There are several common misperceptions that should be clarified. A Data Protection Officer is required for all organizations Each GDPR incident will carry a fine equivalent to the greater of 20 mil Euro or 4% annual worldwide revenue Consent is always required for processing of personal data Parental consent is always required when collecting personal information from a child Individuals have the absolute right to be forgotten Biometric data is sensitive data Controllers do not require processing agreements with processors – GDPR takes care of this Joint Controllers and data ownership – how does this work Cross-border traffic – where does it apply and what are the implications Data subjects ability to withdraw consent – what’s the impact Certification w/ Supervisor Authority Anonymization of personal data – blurring/fuzzing of non-data subjects in video and other media Customers leaving the platform – how does this work and what are the implications Records of processing Activities (Article 30 (5)) - applicability to dscout. How to handle Privacy Policy separate from agreeing to TOS?

8 More Information Event & Whitepaper GDPR Readiness Workshop
March 23, 11;30 - 4:30 Boston College Club More info & register at Whitepaper - “GDPR – A Guide to Readiness” Available at Joint Controllers and data ownership – how does this work Cross-border traffic – where does it apply and what are the implications Data subjects ability to withdraw consent – what’s the impact Certification w/ Supervisor Authority Anonymization of personal data – blurring/fuzzing of non-data subjects in video and other media Customers leaving the platform – how does this work and what are the implications Records of processing Activities (Article 30 (5)) - applicability to dscout. How to handle Privacy Policy separate from agreeing to TOS?

Download ppt "General Data Protection regulation (GDPR)"

Similar presentations

The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)
Preparing for a data protection audit 28 September 2017

Preparing for a data protection audit 28 September 2017
THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,

THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,
Microsoft 365 Get help with regulatory compliance

Microsoft 365 Get help with regulatory compliance
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
KEY CHANGES TO THE DATA PROTECTION LANDSCAPE

KEY CHANGES TO THE DATA PROTECTION LANDSCAPE
International Regulatory Trends

International Regulatory Trends
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017

Similar presentations

Ads by Google