Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding the EU's new General Data Protection Regulation (GDPR)


Published on

In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.

What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”

In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.

Join us for discussion about GDPR to learn more about:

The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future

Published in: Technology
  • Be the first to comment

Understanding the EU's new General Data Protection Regulation (GDPR)

  1. 1. Understanding the EU's new General Data Protection Regulation (GDPR)
  2. 2. GDPR at Acquia “Acquia is well positioned to meet the GDPR requirements by the May 2018 deadline. We are building on work we have done to obtain and maintain our EU-U.S. Privacy Shield framework certification, as well as our work with customers around the EU model clauses that Acquia has also implemented. We’re focused not only on meeting our own obligations, but also on providing the tools that our customers will need to help them meet their obligations under GDPR as well.”
  3. 3. Who am I Tassos Koutlas, PhD UK Technical Director, FFW Have been working in technology for 15 years - Drupal and the web - Machine learning and machine vision - Devops
  4. 4. Contents ● Context ● Definitions ● Principles ● Rights ● Penalties ● How to prepare European law has two types of legislation: 1. Directives - Member states implement 2. Regulations - Immediately applicable EU GDPR is a regulation. 1981 - EU Treaty 108 - 8 principles for protecting personal data 1995 - EU Data Protection Directive (95/46/EC) 1998 - Human Rights Act (HRA 1998) - Art. 8 right to privacy 2016 - EU GDPR approved, law in 2 years Context
  5. 5. Definitions
  6. 6. Subject matter Rules relating to the protection of natural persons with regards to the processing of personal data. Processing means any operation or set of operations which is performed on personal data. Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Natural person is a living individual. Personal data is any information relating to an identified or identifiable natural person ('data subject'). Name, identification number, location data, an online identifier or any factor specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  7. 7. Controller Determines the purposes and means of the processing of personal data. It can be a natural or legal person, public authority, agency or other body which. It can act alone or jointly with others. FFW and Acquia are controllers on the data they are collecting regarding their marketing activities. Processes personal data on behalf of the controller. It can be a natural or legal person, public authority, agency or other body. FFW and Acquia are processors for other parties as part of their services. Processor
  8. 8. Consent It signifies agreement to the processing of personal data. It must be freely given and must give a specific, informed and unambiguous indication of the data subject's wishes. It must be by a statement or by a clear affirmative action.
  9. 9. Principles
  10. 10. Privacy by design GDPR enforces the concept of data protection by design and by default. Businesses and organisations need to adhere to a few principles with regards to the personal data they are processing. It is stated explicitly within the law that organisations are responsible and should be able to demonstrate compliance with those principles.
  11. 11. Six principles Six principles are mentioned with regards to personal data. 1. Should be processed lawfully, fairly and in a transparent way. 2. Should be collected for specified, explicit and legitimate purpose. 3. Should be kept up to date. 4. Should be limited to what is necessary. 5. Should not allow identification of people for longer than necessary. 6. Should be processed in a way that ensures appropriate security.
  12. 12. An example Requiring consent to exhibit the lawfulness of processing personal data (principle 1). - Consent was freely given, specific, informed and unambiguous. - It was a positive opt-in - The person was informed that she can withdraw consent at any time. Compliance: - Clear privacy notice and terms and conditions, opt-in rather than opt-out - Ability for people to withdraw consent Asking for feedback through a form via the website capturing the email of a person. Under GDPR an email is personal data. Principle 6: Should be processed in a way that ensures appropriate security. Compliance: - SSL and HTTPS traffic only through the website - Firewall policy for the database server - Access controls for people accessing the network Another example
  13. 13. Rights
  14. 14. Rights The following are mentioned with regards to personal data. Appropriate measures (processes, procedures and training) to allow people to exercise those rights. All forms of communication would need to be in a concise and easily accessible form using clear and plain language. Legal based documents would need to be revised so they are more accessible by the general public. the right to be informed; the right of access; the right to rectification; the right to erasure (right to be forgotten); the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling
  15. 15. An example In May 2015 the EU Court of Justice ruled: search engines are responsible to the content they point to and thus they need to comply with EU privacy law. Google was asked to comply with the right to be forgotten. - Created the framework to remove search results from EU index - Created the process for people to request removal Establish processes, procedure and staff training to deal with people exercising their rights.
  16. 16. Penalties
  17. 17. Low Fine up to 10,000,000 EUR or 2% of total worldwide turnover, whichever is higher. - Child consent - Processing not requiring identification - Data protection by design and by default - Joint controllers - Representative of controllers not established in EU - Processing - Cooperation with supervisory authority - Data security - Notifications of breaches to supervisory authority - Communication of breaches to data subjects Fine up to 20,000,000 EUR or 4% of total worldwide turnover, whichever is higher. - Principles relating to the processing of personal data - Lawfulness of processing - Conditions of consent - Processing of special categories of data personal data (i.e. sensitive data) - Data subjects rights - Transfers to third countries - Access to supervisory authority - Order/limitations on processing or the suspension of data flows High
  18. 18. How to prepare
  19. 19. Steps to prepare Awareness Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have. Privacy information Review your current privacy notices and put a plan in place to make any necessary changes. Information audit Document what personal data you hold, where it came from and who you share it with. Individual’s rights Check procedures to ensure they cover all the rights individuals have (e.g. how to delete personal data, or provide data electronically in a common used format)
  20. 20. Steps to prepare Data breaches Procedures to detect, report and investigate a personal data breach Data protection by design and data protection impact assessments Familiarise with latest guidance from Article 29 Working Group and how to implement Privacy Impact Assessments for your organisation (or talk to us at FFW about it). Access requests Update procedures and plan how to handle requests within the timescales. Lawful basis of processing Identify your lawful basis of processing, document it and update privacy notice to explain it. Children Do you need to put systems in place to verify individual’s ages and obtain parental or guardian consent?
  21. 21. Steps to prepare Data protection officers Designate someone (within your organisation or some legal entity) to take responsibility for data protection compliance. Asses where the role will sit within the organisational structure. International If your organisation operate in more than one Member State determine your lead data protection supervisory authority Organisations not established in EU Designate in writing a representative in EU.
  22. 22. Case study - Hotjar Thoroughly research the areas of our product and our business impacted by GDPR - COMPLETE Appoint a Data Protection Officer - COMPLETE Rewrite our Data Protection Agreement - COMPLETE Develop a strategy and requirements for how to address the areas of our product impacted by GDPR - COMPLETE Perform the necessary changes/improvements to our product based on the requirements - IN PROGRESS
  23. 23. Case study - Hotjar Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR - IN PROGRESS Thoroughly test all of our changes to verify and validate compliance with GDPR - IN PROGRESS (being done incrementally as changes are completed) Finalize and communicate our full compliance - TO BE ANNOUNCED
  24. 24. Final Thoughts To prepare for GDPR, you must understand which data you create, where and how you process and finally store it. Only then, you will be able to take the right actions to comply with the new regulations. Acquia and FFW are ready to support you on this journey.
  25. 25. Questions