Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to get ready for GDPR compliance


Published on

Learn more about the new GDPR regulation and how can you adapt to it by following our practical guide.

Published in: Law
  • Be the first to comment

How to get ready for GDPR compliance

  1. 1. GDPR and Cleeng Get ready for compliance!
  2. 2. 2 What is GDPR? The General Data Protection Regulation requires businesses to protect the personal data and the privacy of EU citizens for transactions carried out within EU member states.
  3. 3. What lead to GDPR?
  4. 4. 4 Who is affected? Any company that: • Has a presence in an EU country. • Don’t have a presence in the EU, but process the personal data of European residents. • Has more than 250 employees. • Has fewer than 250 employees but your data-processing impacts the rights of data subjects or includes certain kinds of sensitive personal data.
  5. 5. What does the numbers say? • 92% of U.S. companies consider GDPR a number one data protection priority (PwC survey); • 50% of the companies affected by GDPR will not be in full compliance by the end of 2018 (Gartner); • Enforces fines of up to €20 million or 2-4% of global turnover, whichever is greater.
  6. 6. Individuals rights and roles definition The most important feature of the GDPR is that it clearly defines what individual’s rights are: Individual rights to Access their own personal data Rectify inaccurate personal data Challenge automated decision making Object to direct marketing “To be forgotten” Data portability
  7. 7. What changed? Where are the regulations tighter? Major changes Explanation Increased Territorial Scope GPDR makes it very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. Consent The conditions for consent are strengthened. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear language, for every data capture. Breach Notification The data controller must report data breaches to the data protection authorities without undue delay and in any event within 72 hours of the time of becoming aware of a data breach. Right to Access The controller has to provide a copy of the personal data, free of charge, in an electronic format. Right to be Forgotten The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. (no longer relevant to original purposes for processing, or data while withdrawing consent) Data Portability The right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller. Privacy by Design Inclusion of data protection from the onset of the designing of systems, rather than an addition.
  8. 8. Best practices from our industry Adoption of pseudonymization This type of partial encryption technique means that personal data can no longer be attributed to a specific data subject without the use of additional information, and that information is kept separately and can be thought of as an encryption key. It enhances security, and allows much freer use of data under the workings of the GDPR. Revision of consent points Use compliance from tech partners Under the GDPR, consent given by the customer is valid only if customers give it freely, based on clear and specific information for each processing operation needed. Under the old rulings such operations could be bundled together; that is no longer the case. Ex. AWS has its DPA that will meet the requirements of the GDPR which is available to all AWS customers. Need to contact our AWS account manager.
  9. 9. Who needs a dedicated Data Protection Officer (DPO)? The GDPR Section 4, states that Data Protection Officers are to be appointed if: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 of the GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR. Importantly, the DPO: • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices; • May be a staff member or an external service provider; • Contact details must be provided to the relevant DPA; • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge; • Must report directly to the highest level of management; • Must not carry out any other tasks that could results in a conflict of interest.​ The good news is Cleeng can handle most of the sensitive user data management, and with our strong European base and background, many of this functions can be off-loaded to us.Want to know more? Contact us
  10. 10. GDPR checklist – 12 steps
  11. 11. Current status at Cleeng Major changes Status 1 GDPR awareness Every key position at Cleeng is well informed, and has specific role in meeting the GDPR compliance. 2 Held information Cleeng encrypts its end-user data to keep it safe from potential intrusion. It also complies with Amazon Web Services, and meets the SAE16 SOC1 certification. 3 Communicating privacy information Cleeng communicates its Privacy Policy on its official website. 4 Right to Access End-users can access their private information via the “My Account” feature. The personal data is hidden/masked within our infrastructure. Right to be Forgotten Cleeng users can explicitly ask to be forgotten. Then, all the personal information is permanently erased while only a User ID is kept for potential future activity. Note: As an eCommerce company, Cleeng obliges the local fiscal laws and has to keep personal data for bookkeeping (up to 10 years). Right to Export Data Within the “My Account” feature, end-users have the opportunity to request and receive a data export in an appropriate format for further processing. 5 Update procedures Cleeng has been working on the GDRP compliance in the past year, and our systems and processes are up to date. 6 Lawful basis for processing personal data As an eCommerce company, we have to collect personal information in order to identify users and enable the service of our clients. However, the company keeps only the minimum required information (name, email, account entitlement, services purchased) related only to the purchased services. Any information collected from our users will not be sold, shared, or rented to others in ways different from what is disclosed in this privacy statement. 7 Consent On the Cleeng website there is a mandatory opt-in option on all of our data capture and account creation points. 8 Children Information The Cleeng service does not store age or children-related information. The service itself is targeted to users aged 18+ and we also recommend our clients to limit their parental control functions to account restriction independent of age. 9 Data Breach Notification In accordance with the European laws, Cleeng is partnering with the best-in-class cybersecurity companies, which monitor our platform 24/7 and run ad-hoc penetration tests. 10 Subject access request/Data processing Role-based administration is in place at our main data systems: The Broadcaster Dashboard and the Cleeng Admin. 11 Data Protection Officer Cleeng has appointed an official DPO since September 2017 who is in charge of Privacy and Security compliance 12 International As an international organization based in the Netherlands, Cleeng is governed by the Dutch DPA (Wet bescherming persoonsgegevens).
  12. 12. Additional reading – useful links
  13. 13.