SlideShare a Scribd company logo

The GDPR: Common misunderstandings and lessons learned so far

PECB
PECB

In this webinar, we will be exploring the issues that organizations faced in the final run-up to the GDPR taking effect on 25th May, and the lessons learned so far in regards to the GDPR compliance. Main points covered: • Website privacy policies – is it a Policy or is it a notice? • Personal data breaches: when to put your hand up? • Do we need a DPO? Presenter: Our presenter for this webinar, James Castro-Edwards is a partner and Head of Data Protection at Wedlake Bell LLP. James advises domestic and multinational organizations on data protection issues. His experience includes managing global data protection compliance projects for multinationals and advising domestic companies on complex data protection issues. He has also developed and delivered innovative data protection training programs for multinational clients, including a data protection officers’ training course which was accredited by a European government. James leads the firm’s outsourced data protection officer service, ProDPO. James frequently speaks on data protection and cybersecurity issues and is widely published, having written articles for a wide variety of titles including The Times and The Guardian, and wrote The Law Society textbook on the General Data Protection Regulation (GDPR).

Education
1 of 24
1
OVERVIEW 1. The great re-consenting swindle 2. Updating processor contracts re-papering the world? 3. Are we joint controllers? 4. Website privacy policies: is it a Policy or is it a Notice? 5. Data subjects’ rights: opening the floodgates. 6. Personal data breaches: when to put your hand up. 7. Do we need a DPO? 8. When do we need a DPIA? 9. We’re a processor, so what exactly are we supposed to do? 10. But is this all just like the Y2K bug, right?
1. THE GREAT RE-CONSENTING SWINDLE Please tick the box if you would like to stay in touch… • Fairness, lawfulness and transparency • Lawful basis + • Transparency • One potential lawful basis is consent, but there are others…
1. THE GREAT RE-CONSENTING SWINDLE Lawful grounds for processing personal data Controllers must establish at least one of the following grounds: 1. Data subject’s consent 2. Contractual performance, or pre-contractual steps at data subject’s request 3. Compliance with controller’s legal obligation 4. The vital interests of the data subject (or another person) 5. Performance of a task carried out in the public interest, or exercise of official authority 6. The processing is necessary for legitimate interests pursued by the controller or a third party, except where the interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data. (i.e. legitimate interests ≠ ‘get out of jail free’) Note the conditions for processing special categories of personal data are different.
1. THE GREAT RE-CONSENTING SWINDLE Consent: • Valid consent must be: • freely given • specific • informed (concise, transparent, intelligible and easily accessible) • unambiguous • positive affirmation • Sensitive personal data requires explicit consent • The data controller bears the burden of proof • Capable of withdrawal at any time, without detriment
1. THE GREAT RE-CONSENTING SWINDLE So do we need to ‘re-consent?’ • The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) • Regulates unsolicited, direct marketing by electronic means: • ‘Electronic’ = Email, text, telephone (live & automated) or fax. • ‘Direct marketing’ = directed to a specific individual (calls, texts and emails are inevitably ‘direct marketing’ and hence covered by this definition) • ‘Unsolicited’ = not actively requested by the individual • Genuine market research ≠ direct marketing • Routine customer services messages ≠ direct marketing • ‘Opt-in’ consent generally required – subject to exceptions • What if you have already sent the ‘re-consent’ email?
2. UPDATING PROCESSOR CONTRACTS - RE-PAPERING THE WORLD? The GDPR applies to processors as well as controllers… 1. Controllers must only use processors that provide sufficient guarantees 2. Controllers must ensure processors are bound by an appropriate contract – significantly more detailed than under the Data Protection Act 1998 3. Failure may be a breach of organisational security measures 4. May come under scrutiny following a breach
Controllers in common vs. joint controllers 1. Controllers in common may process the same personal data for different purposes 2. Joint controllers are engaged in the same processing should consider a data sharing agreement apportioning the parties’ responsibilities 3. So what? Organisations must consider their arrangements with third parties, and ensure they are appropriately documented 3. ARE WE JOINT CONTROLLERS?
What’s the difference? 1. The GDPR is prescriptive vis-à-vis transparency information 2. Erroneously named ‘privacy policies’ are likely to require attention: i. External – to the outside world ii. Internal – to staff 3. Privacy policies – internal document explaining to staff how they must process personal data in order for the organisation to comply with the GDPR - necessary to demonstrate compliance with the Accountability principle. 4. WEBSITE PRIVACY POLICIES - IS IT A POLICY OR IS IT A NOTICE?
Data subjects’ rights 1. Transparency 2. Access 3. Rectification 4. Erasure 5. Restriction of processing 6. Portability 7. To object 8. Rights in automated decision-making (including profiling)  BUT no fee, and 30-day response period 5. DATA SUBJECTS’ RIGHTS: OPENING THE FLOODGATES
6. PERSONAL DATA BREACHES: WHEN TO PUT YOUR HAND UP. New rules on data breach notification • Notification to national DPAs • Notification without undue delay and where feasible, no later than 72 hours of becoming aware of breach (unless delay justified) • No obligation to report where unlikely to result in risk to individuals • Notification to data subjects • Only if breach is likely to pose a ‘high risk’ to rights and freedoms • Notification without delay and in clear language • Processors are only obligated to notify breaches to controllers and this must be done without undue delay
7. DO WE NEED A DPO? Mandatory DPOs - Requirement criteria: 1. Processing is carried out by a public authority (except courts) 2. The core activities of the controller or processor requires regular and systematic monitoring of data subjects on a large scale 3. The core activities of the controller or processor consist of processing on a large scale of special categories of data (i.e. sensitive personal data) • Consider appointing a DPO even if not mandatory • Supervisory Authorities likely to look favourably on organisations that do so • Recommended by Art. 29 Working Party
7. DO WE NEED A DPO? Mandatory DPOs - Continued • DPOs must have sufficient expert knowledge and the necessary professional qualities to fulfil the role – candidates may be hard to find • DPO can be a full/part time employee or appointed by a service contract (i.e. outsourced) – e.g. • A DPO's tasks include at least the following - • informing the organisation and its employees of its obligations under GDPR • monitoring compliance • advising on DPIAs and • co-operating with EU DPIAs
8. WHEN DO WE NEED A DPIA? Data Protection Impact Assessments (DPIAs) • Requirement for organisations to conduct DPIAs for any new technologies or activities that involve high risk to individuals • DPIAs contrast with an audit – aims to identify risks in advance • DPIAs not limited to new technologies (i.e. software etc.) but should also be conducted for any activity that may involve the collection/processing of personal data, such as new CCTV system or company intranet, or corporate acquisition / disposal (e.g. Facebook acquisition of WhatsApp) • Organisations must implement privacy by design and privacy by default and ensure new products/services take protection of data into consideration (e.g. adequate security, pseudonymisation and data minimisation)
9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? GDPR Obligations upon processors The GDPR applies to the processing of personal data:  in the context of the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place in the Union or not. (Art. 3(1)).  of data subjects who are in the union by a controller or processor not established in the Union, where the processing activities are related to:  offering goods or services to data subjects in the Union’ or  monitoring of their behaviour that takes place in the Union. (Art. 3(2))
9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? Controllers’ obligations The following obligations fall upon the controller (but not the processor):  Provide transparency language (Art. 12, 13 & 14);  Comply with data subjects’ requests to exercise their right to:  access,  rectification,  erasure,  restriction of processing,  portability  object to processing; and  rights around automated decision taking (Art. 15-22)
9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? Controllers’ obligations  Use only processors that provide sufficient guarantees to implement measures that will ensure the requirements of the GDPR are met (Art. 28(1))  Ensure processors are bound by an engagement contract incorporating the provisions of Article 28 (3)  Notify breaches to the supervisory authorities (Art. 33) and data subjects (Art. 34)  Conduct data protection impact assessments (DPIAs) (Art. 35).
9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? GDPR Obligations upon processors Under the GDPR, processors must:  Appoint a representative if they are established outside the EU (Art. 27)  Not appoint sub-processors without specific or general authorisation of the controller (Art 28(2))  Process personal data in accordance with a contract including the provisions of Article 28(3).  Cooperate with the supervisory authority if required (Art. 31)
9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? Obligations upon controllers and processors  Maintain a record of processing activities (Art. 30)  Implement appropriate security measures (Art. 32)  Appoint a DPO (if they meet the Art. 37(1) criteria)  Only transfer personal data to third countries where there are adequate safeguards (Art. 46)
9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? Controllers’ and processors’ liability  Controllers and processors may be subject to fines of up to 4% worldwide annual turnover, or €20,000,000 (Art. 83)  Where one or more controller or processor involved in the same processing are liable for damage each controller or processor shall be geld liable for the entire damage to ensure the data subject is effectively compensated (Art. 82(4))  A controller or processor that has paid the full compensation is entitled to claim back from the other controllers or processors compensation corresponding to their part of responsibility for the damage (Art. 82(5))  A processor that determines the purposes of processing will be considered a controller in respect of that processing (Art. 28(10))
10. BUT IS THIS ALL JUST LIKE THE Y2K BUG, RIGHT? Data protection, post GDPR  GDPR compliance has been mandatory since 25th May; but the flurry of activity marked the beginning, rather than the end.  The GDPR obliges organisations to report serious data breaches to the ICO  Data breaches reported to the ICO have increased from 2,447 last year to 3,156 this year. (a 29% increase)  The ICO received 1,700 breach notifications in June, a dramatic increase compared with previous levels (360-390 breach notifications / month).
10. BUT IS THIS ALL JUST LIKE THE Y2K BUG, RIGHT? Data protection, post GDPR  In the UK the ICO intends to recruit 200 more staff over the next two years to manage the increased workload the GDPR introduces.  Mandatory breach notification, better informed general public, high profile incidents such as Cambridge Analytica / Facebook are likely to keep data protection in the spotlight for the forseeable future.  Organisations that were previously unware can’t ‘un-see’ the GDPR  Organisations must remain compliant with the new law on an ongoing basis
GDPR Training Courses • GDPR Introduction 1 Day Course • GDPR Foundation 2 Days Course • Certified Data Protection Officer 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/gdpr www.pecb.com/events
THANK YOU ? jcastro-edwards@wedlakebell.com www.wedlakebell.com linkedin.com/in/james-castro-edwards-7775a72

Recommended

Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
IT Governance Ltd
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
Parsons Behle & Latimer
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
Jerika Phelps
 

Recommended

Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
IT Governance Ltd
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
Parsons Behle & Latimer
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
Jerika Phelps
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
Black Duck by Synopsys
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
GDPR Workshop
GDPR WorkshopGDPR Workshop
GDPR Workshop
Curt Lewis
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
IT Governance Ltd
 
#CyberSafeLambeth
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambeth
The Integrate Agency CIC
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?
Chris Bullock
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental ownersGDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
Spain-Holiday.com
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
Shadi A. Razak
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPR
ImogenRutherford
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
ZoneFox
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Software Integrity Group
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Karina Matos
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPR
Iryna Chekanava
 
GDPR SECURITY ISSUES
GDPR SECURITY ISSUESGDPR SECURITY ISSUES
GDPR SECURITY ISSUES
Sylvain Martinez
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
IT Governance Ltd
 

More Related Content

What's hot

New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
Black Duck by Synopsys
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
GDPR Workshop
GDPR WorkshopGDPR Workshop
GDPR Workshop
Curt Lewis
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
IT Governance Ltd
 
#CyberSafeLambeth
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambeth
The Integrate Agency CIC
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?
Chris Bullock
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental ownersGDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
Spain-Holiday.com
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
Shadi A. Razak
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPR
ImogenRutherford
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
ZoneFox
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Software Integrity Group
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Karina Matos
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPR
Iryna Chekanava
 

What's hot (20)

New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
 
GDPR Workshop
GDPR WorkshopGDPR Workshop
GDPR Workshop
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
 
#CyberSafeLambeth
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambeth
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
 
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental ownersGDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPR
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
 
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Data protection
Data protectionData protection
Data protection
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPR
 

Similar to The GDPR: Common misunderstandings and lessons learned so far

GDPR SECURITY ISSUES
GDPR SECURITY ISSUESGDPR SECURITY ISSUES
GDPR SECURITY ISSUES
Sylvain Martinez
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
IT Governance Ltd
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
Stephanie Vasey
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
VILT
 
Satori GDPR Overview 2018
Satori GDPR Overview 2018Satori GDPR Overview 2018
Satori GDPR Overview 2018
Dean Evans
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
IT Governance Ltd
 
Kyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered Services
Kyte Consultants Ltd.
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
PECB
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
EquiGov Institute
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
Cobweb
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
GDPR and API Security
GDPR and API SecurityGDPR and API Security
GDPR and API Security
WSO2
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
Symantec
 

Similar to The GDPR: Common misunderstandings and lessons learned so far (20)

GDPR SECURITY ISSUES
GDPR SECURITY ISSUESGDPR SECURITY ISSUES
GDPR SECURITY ISSUES
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
 
Satori GDPR Overview 2018
Satori GDPR Overview 2018Satori GDPR Overview 2018
Satori GDPR Overview 2018
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
Kyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered Services
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
GDPR and API Security
GDPR and API SecurityGDPR and API Security
GDPR and API Security
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 

More from PECB

ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
PECB
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 

More from PECB (20)

ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 

Recently uploaded

S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
tarandeep35
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Dr. Vinod Kumar Kanvaria
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
Top five deadliest dog breeds in America
Top five deadliest dog breeds in AmericaTop five deadliest dog breeds in America
Top five deadliest dog breeds in America
Bisnar Chase Personal Injury Attorneys
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Akanksha trivedi rama nursing college kanpur.
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
adhitya5119
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Excellence Foundation for South Sudan
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
Nicholas Montgomery
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
Celine George
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
IreneSebastianRueco1
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
Assignment_4_ArianaBusciglio Marvel(1).docx
Assignment_4_ArianaBusciglio Marvel(1).docxAssignment_4_ArianaBusciglio Marvel(1).docx
Assignment_4_ArianaBusciglio Marvel(1).docx
ArianaBusciglio
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
Israel Genealogy Research Association
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 

Recently uploaded (20)

S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
 
Top five deadliest dog breeds in America
Top five deadliest dog breeds in AmericaTop five deadliest dog breeds in America
Top five deadliest dog breeds in America
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
Assignment_4_ArianaBusciglio Marvel(1).docx
Assignment_4_ArianaBusciglio Marvel(1).docxAssignment_4_ArianaBusciglio Marvel(1).docx
Assignment_4_ArianaBusciglio Marvel(1).docx
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
 

The GDPR: Common misunderstandings and lessons learned so far

  • 1. 1
  • 2. OVERVIEW 1. The great re-consenting swindle 2. Updating processor contracts re-papering the world? 3. Are we joint controllers? 4. Website privacy policies: is it a Policy or is it a Notice? 5. Data subjects’ rights: opening the floodgates. 6. Personal data breaches: when to put your hand up. 7. Do we need a DPO? 8. When do we need a DPIA? 9. We’re a processor, so what exactly are we supposed to do? 10. But is this all just like the Y2K bug, right?
  • 3. 1. THE GREAT RE-CONSENTING SWINDLE Please tick the box if you would like to stay in touch… • Fairness, lawfulness and transparency • Lawful basis + • Transparency • One potential lawful basis is consent, but there are others…
  • 4. 1. THE GREAT RE-CONSENTING SWINDLE Lawful grounds for processing personal data Controllers must establish at least one of the following grounds: 1. Data subject’s consent 2. Contractual performance, or pre-contractual steps at data subject’s request 3. Compliance with controller’s legal obligation 4. The vital interests of the data subject (or another person) 5. Performance of a task carried out in the public interest, or exercise of official authority 6. The processing is necessary for legitimate interests pursued by the controller or a third party, except where the interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data. (i.e. legitimate interests ≠ ‘get out of jail free’) Note the conditions for processing special categories of personal data are different.
  • 5. 1. THE GREAT RE-CONSENTING SWINDLE Consent: • Valid consent must be: • freely given • specific • informed (concise, transparent, intelligible and easily accessible) • unambiguous • positive affirmation • Sensitive personal data requires explicit consent • The data controller bears the burden of proof • Capable of withdrawal at any time, without detriment
  • 6. 1. THE GREAT RE-CONSENTING SWINDLE So do we need to ‘re-consent?’ • The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) • Regulates unsolicited, direct marketing by electronic means: • ‘Electronic’ = Email, text, telephone (live & automated) or fax. • ‘Direct marketing’ = directed to a specific individual (calls, texts and emails are inevitably ‘direct marketing’ and hence covered by this definition) • ‘Unsolicited’ = not actively requested by the individual • Genuine market research ≠ direct marketing • Routine customer services messages ≠ direct marketing • ‘Opt-in’ consent generally required – subject to exceptions • What if you have already sent the ‘re-consent’ email?
  • 7. 2. UPDATING PROCESSOR CONTRACTS - RE-PAPERING THE WORLD? The GDPR applies to processors as well as controllers… 1. Controllers must only use processors that provide sufficient guarantees 2. Controllers must ensure processors are bound by an appropriate contract – significantly more detailed than under the Data Protection Act 1998 3. Failure may be a breach of organisational security measures 4. May come under scrutiny following a breach
  • 8. Controllers in common vs. joint controllers 1. Controllers in common may process the same personal data for different purposes 2. Joint controllers are engaged in the same processing should consider a data sharing agreement apportioning the parties’ responsibilities 3. So what? Organisations must consider their arrangements with third parties, and ensure they are appropriately documented 3. ARE WE JOINT CONTROLLERS?
  • 9. What’s the difference? 1. The GDPR is prescriptive vis-à-vis transparency information 2. Erroneously named ‘privacy policies’ are likely to require attention: i. External – to the outside world ii. Internal – to staff 3. Privacy policies – internal document explaining to staff how they must process personal data in order for the organisation to comply with the GDPR - necessary to demonstrate compliance with the Accountability principle. 4. WEBSITE PRIVACY POLICIES - IS IT A POLICY OR IS IT A NOTICE?
  • 10. Data subjects’ rights 1. Transparency 2. Access 3. Rectification 4. Erasure 5. Restriction of processing 6. Portability 7. To object 8. Rights in automated decision-making (including profiling)  BUT no fee, and 30-day response period 5. DATA SUBJECTS’ RIGHTS: OPENING THE FLOODGATES
  • 11. 6. PERSONAL DATA BREACHES: WHEN TO PUT YOUR HAND UP. New rules on data breach notification • Notification to national DPAs • Notification without undue delay and where feasible, no later than 72 hours of becoming aware of breach (unless delay justified) • No obligation to report where unlikely to result in risk to individuals • Notification to data subjects • Only if breach is likely to pose a ‘high risk’ to rights and freedoms • Notification without delay and in clear language • Processors are only obligated to notify breaches to controllers and this must be done without undue delay
  • 12. 7. DO WE NEED A DPO? Mandatory DPOs - Requirement criteria: 1. Processing is carried out by a public authority (except courts) 2. The core activities of the controller or processor requires regular and systematic monitoring of data subjects on a large scale 3. The core activities of the controller or processor consist of processing on a large scale of special categories of data (i.e. sensitive personal data) • Consider appointing a DPO even if not mandatory • Supervisory Authorities likely to look favourably on organisations that do so • Recommended by Art. 29 Working Party
  • 13. 7. DO WE NEED A DPO? Mandatory DPOs - Continued • DPOs must have sufficient expert knowledge and the necessary professional qualities to fulfil the role – candidates may be hard to find • DPO can be a full/part time employee or appointed by a service contract (i.e. outsourced) – e.g. • A DPO's tasks include at least the following - • informing the organisation and its employees of its obligations under GDPR • monitoring compliance • advising on DPIAs and • co-operating with EU DPIAs
  • 14. 8. WHEN DO WE NEED A DPIA? Data Protection Impact Assessments (DPIAs) • Requirement for organisations to conduct DPIAs for any new technologies or activities that involve high risk to individuals • DPIAs contrast with an audit – aims to identify risks in advance • DPIAs not limited to new technologies (i.e. software etc.) but should also be conducted for any activity that may involve the collection/processing of personal data, such as new CCTV system or company intranet, or corporate acquisition / disposal (e.g. Facebook acquisition of WhatsApp) • Organisations must implement privacy by design and privacy by default and ensure new products/services take protection of data into consideration (e.g. adequate security, pseudonymisation and data minimisation)
  • 15. 9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? GDPR Obligations upon processors The GDPR applies to the processing of personal data:  in the context of the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place in the Union or not. (Art. 3(1)).  of data subjects who are in the union by a controller or processor not established in the Union, where the processing activities are related to:  offering goods or services to data subjects in the Union’ or  monitoring of their behaviour that takes place in the Union. (Art. 3(2))
  • 16. 9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? Controllers’ obligations The following obligations fall upon the controller (but not the processor):  Provide transparency language (Art. 12, 13 & 14);  Comply with data subjects’ requests to exercise their right to:  access,  rectification,  erasure,  restriction of processing,  portability  object to processing; and  rights around automated decision taking (Art. 15-22)
  • 17. 9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? Controllers’ obligations  Use only processors that provide sufficient guarantees to implement measures that will ensure the requirements of the GDPR are met (Art. 28(1))  Ensure processors are bound by an engagement contract incorporating the provisions of Article 28 (3)  Notify breaches to the supervisory authorities (Art. 33) and data subjects (Art. 34)  Conduct data protection impact assessments (DPIAs) (Art. 35).
  • 18. 9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? GDPR Obligations upon processors Under the GDPR, processors must:  Appoint a representative if they are established outside the EU (Art. 27)  Not appoint sub-processors without specific or general authorisation of the controller (Art 28(2))  Process personal data in accordance with a contract including the provisions of Article 28(3).  Cooperate with the supervisory authority if required (Art. 31)
  • 19. 9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? Obligations upon controllers and processors  Maintain a record of processing activities (Art. 30)  Implement appropriate security measures (Art. 32)  Appoint a DPO (if they meet the Art. 37(1) criteria)  Only transfer personal data to third countries where there are adequate safeguards (Art. 46)
  • 20. 9. WE’RE A PROCESSOR, SO WHAT EXACTLY ARE WE SUPPOSED TO DO? Controllers’ and processors’ liability  Controllers and processors may be subject to fines of up to 4% worldwide annual turnover, or €20,000,000 (Art. 83)  Where one or more controller or processor involved in the same processing are liable for damage each controller or processor shall be geld liable for the entire damage to ensure the data subject is effectively compensated (Art. 82(4))  A controller or processor that has paid the full compensation is entitled to claim back from the other controllers or processors compensation corresponding to their part of responsibility for the damage (Art. 82(5))  A processor that determines the purposes of processing will be considered a controller in respect of that processing (Art. 28(10))
  • 21. 10. BUT IS THIS ALL JUST LIKE THE Y2K BUG, RIGHT? Data protection, post GDPR  GDPR compliance has been mandatory since 25th May; but the flurry of activity marked the beginning, rather than the end.  The GDPR obliges organisations to report serious data breaches to the ICO  Data breaches reported to the ICO have increased from 2,447 last year to 3,156 this year. (a 29% increase)  The ICO received 1,700 breach notifications in June, a dramatic increase compared with previous levels (360-390 breach notifications / month).
  • 22. 10. BUT IS THIS ALL JUST LIKE THE Y2K BUG, RIGHT? Data protection, post GDPR  In the UK the ICO intends to recruit 200 more staff over the next two years to manage the increased workload the GDPR introduces.  Mandatory breach notification, better informed general public, high profile incidents such as Cambridge Analytica / Facebook are likely to keep data protection in the spotlight for the forseeable future.  Organisations that were previously unware can’t ‘un-see’ the GDPR  Organisations must remain compliant with the new law on an ongoing basis
  • 23. GDPR Training Courses • GDPR Introduction 1 Day Course • GDPR Foundation 2 Days Course • Certified Data Protection Officer 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/gdpr www.pecb.com/events