EU General Data Protection Regulation (GDPR)

05/12/2017
1
Caiani EG1,2
1 Electronics, Information and Bioengineering Department,
Politecnico di Milano,Italy
2 Chair ESC Working Group on e-Cardiology
EU General Data Protection Regulation:
principal facts and novelties

05/12/2017
2
The EU General Data Protection Regulation (GDPR) replaces
the Data Protection Directive 95/46/EC and was designed to
harmonize data privacy laws across Europe, to protect and empower
all EU citizens data privacy and to reshape the way organizations
across the region approach data privacy.
Privacy and data protection in EU
Regulation: binding legislative act that must be applied in its entirety
across EU
Directive: legislative act that sets out a goal that all EU countries must
achieve, but it is up to the individual countries to decide how
enrico.caiani@polimi.it

05/12/2017
3
Key changes: Increased Territorial Scope (extra-territorial applicability)
It will also apply to the processing of personal data of data subjects
in the EU by a controller or processor not established in the EU,
where the activities relate to: offering goods or services to EU
citizens (irrespective of whether payment is required) and the
monitoring of behaviour that takes place within the EU.
Non-EU businesses processing the data of EU citizens will also have
to appoint a representative in the EU.
Extended jurisdiction : it applies to all companies
processing the personal data of data subjects residing in
the Union, regardless of the company’s location.
It will apply to the processing of personal data by controllers and
processors in the EU, regardless of whether the processing takes
place in the EU or not.

05/12/2017
4
GDPR widens the concept: any information related to a natural
person or ‘Data Subject’, that can be used to directly or
indirectly identify the person. It can be anything from a name, a
photo, an email address, bank details, posts on social
networking websites, medical information, or a computer IP, or
also genetic, mental, cultural, economic and social data.
Personal data: concept

05/12/2017
5
The Data Lifecycle
GDPR: appointment of Data
Protection Officer when core
activities require regular and
sistematic monitoring of data
subjects on a large scale or of
special categories of data
Data Protection authority
GDPR liability extends from Data controller to all parties that touch personal data

05/12/2017
6
Is there a real choice and no
risk negative consequences
for the data subject?
“I allow this app to process my personal data in order to perform the needed processing
activities”
“I allow this app to access my location when I request direction services”
precise and easily
understandable
description of the
matter
Legal ground: consent to collect data

05/12/2017
7
Legitimate interest of the
data controller
Data collection purposes: why do I collect data?
GDPR: the request for consent must be clear and distinguishable from
other matters and provided in an intelligible and easily accessible form
using clear and plain language, with the purpose for data processing
attached to that consent. Silence or inactivity no longer constitutes
consent. It must be as easy to withdraw consent as it is to give it.

05/12/2017
8
Several scenarios will require changes in strategies
On-line shopping and loyalty cards
Fitness trackers (diet, exercise)
Any data processing needs to be explained to their users in
clear and concise format. More explicit details in what the
data is subsequently used for and to give notice as and
when it is used by third-party applications.
Remote monitoring

05/12/2017
9
Data quality/accuracy: Update database
Technical and
organizational
measures
to prevent data
breaches and
subsequent
damage
How to store/use the data?
GDPR: privacy by design included in systems and
processes, and not as addition!
Data controller
GDPR: breach notification mandatory in all member
states where a data breach is likely to “result in a
risk for the rights and freedoms of individuals”
within 72 hours of first having become aware of the
breach.

05/12/2017
10
How long will I keep the data?
How to store/use the data?
Data controller
GDPR: Article 23 calls for controllers to hold and process only the data
absolutely necessary for the completion of its duties (data minimisation
priciple), as well as not to change the use of the data from the purpose for which
it was originally collected.
The right to be forgotten (data erasure): delete any data at the request of the
data subject, cease further dissemination, and potentially have third parties
halt processing of the data.
Right to access: right for data subjects to obtain from the data controller
confirmation as to whether or not personal data concerning them is being
processed, where and for what purpose. Further, the controller shall provide a
copy of the personal data, free of charge, in an electronic format.

05/12/2017
11
Penalties
Under GDPR, organizations in breach of GDPR can be fined up
to 4% of annual global turnover or €20 Million (whichever is
greater).
This is the maximum fine that can be imposed for the most
serious infringements e.g.not having sufficient customer consent
to process data or violating the core of Privacy by Design
concepts.
There is a tiered approach to fines e.g. a company can be fined
2% for not having their records in order (article 28), not notifying
the supervising authority and data subject about a breach or not
conducting impact assessment. It is important to note that these
rules apply to both controllers and processors -- meaning
'clouds' will not be exempt from GDPR enforcement.

EU General Data Protection Regulation (GDPR)

More Related Content

What's hot

Similar to EU General Data Protection Regulation (GDPR)

Recently uploaded

EU General Data Protection Regulation (GDPR)