1. EU General Data Protection Regulation: Changes and implications for personal data collecting companies
Authors: Christina Tikkinen-Piri, Anna Rohunen, Jouni Markkula
Source: Computer Law & Security Review, Vol. 34, pp , Feb. 2018
Speaker: Kai-Fan Chien
Date: 2019/7/18

2. Outline Introduction Methodology Changes introduced by the GDPR
Practical implications of the GDPR
Conclusions

3. Introduction(1/2)
General Data Protection Regulation and Data Protection Directive 95/46/EC (DIR95)
Calculation power, Storage capacity, Network technology
New and increased challenges for personal data protection
Many new business opportunities may be missed
New!!

4. Introduction(1/2)
Offering consistency in data protection and more integrated
Transparency 
Rights

5. Methodology(1/2) Main research question
What are the strategic, business practice, organisational and technical implications of the GDPR for personal data intensive companies?
Personal data intensive companies
Social media
Healthcare
Financial services

6. Methodology(2/2) Research questions
What are the changes introduced by the GDPR compared to DIR95?
What are the main practical implications of the GDPR's imposed changes for personal data intensive companies?

7. Changes introduced by the GDPR(1/4)
Transparency and modalities
Clear and plain language
Information and access to personal data
Data portability
Transfer data to a third country or an international organisation EU
USA

8. Changes introduced by the GDPR(2/4)
Rectification and erasure
Data subject's right to obtain rectification, erasure and restriction of processing of his or her personal data
Right to be forgotten
The data subject shall have the right to obtain from the controller the erasure of personal data concerning

9. Changes introduced by the GDPR(3/4)
Right to object and automated individual decision making
General obligations
Data protection by design and by default

10. Changes introduced by the GDPR(4/4)
Data protection impact assessment and prior consultation
A data protection impact assessment prior to likely risky processing operations
Data protection officer (DPO)
Data processing operations require regular and systematic monitoring of data subjects or when special categories of data are processed
Penalties
€20 million or 4% of the total worldwide annual turnover of the preceding financial year

11. Practical implications of the GDPR (1/2)
Building privacy through data protection by design and default
Companies should review their current protection measures, assess such measures' appropriateness
Designating a DPO
There are not necessarily enough qualified DPOs currently in the market
Providing information to data subjects
Companies need to check whether they are able to provide all the required information to respond to the data subjects' requests
公司應審查其當前的保護措施，評估此類措施是否適合通過設計和默認原則滿足數據保護，並可能實施新措施。
多個公司一起共同使用一名DPO(逢甲 靜宜 東海共用)，或公司內部相關知識人員擔任

12. Practical implications of the GDPR (2/2)
Obtaining consent on personal data usage
The specified conditions require obtaining clearly distinguishable consent from the data subject
Cookies
Ensuring individuals' right to be forgotten
Companies are now obliged to delete personal data on the data subjects' request
Ensuring individuals' right to data portability

13. Conclusions
GDPR requirements' practical implications for personal data intensive companies
Two specific research questions