This document provides an overview of the General Data Protection Regulation (GDPR) and steps for small and medium-sized businesses to maximize compliance. It begins with the history of data protection regulations in Europe from post-World War II to the finalization of the GDPR in 2016. The rest of the document outlines the content and principles of the GDPR, data subject rights and controller responsibilities, international data transfers, remedies for non-compliance, and administration of the regulation. It also provides recommendations for businesses to understand how the GDPR impacts them, document their data processing activities, ensure security and privacy, and seek guidance on following the regulation's requirements.
Regression analysis: Simple Linear Regression Multiple Linear Regression
Â
GDPR Compliance for SMEs Maximized
1. Hans Demeyer
Supplier of Optimism & Inspiration
On GDPR
The General Data Protection Regulation
and how to maximize compliancy
2. ⢠Post-world war II
⢠1950 - European Declaration of Rights
⢠1992 â Belgian law on personal privacy
⢠1995 â European Privacy directives
⢠2000-2010 â Telecommunications law, e-
commerce, additional Local directives, CLAs
⢠May 2016 â General Data Protection Regulation
⢠Grace period
⢠May 2018 â binding law
history
3. 11
12
20
78
42
3
GDPR - content
General and principles
Data Subject rights
Controller responsibilities
Sending data outside the EU
Remedies
Administration
Security
4.
5.
6. Hans Demeyer
Supplier of Optimism & Inspiration
⢠Linkedin.com/in/hansdemeyer
⢠Hans@thedataprotectionoffice.eu
8. âyour aproach is disruptive and far better
then what the average SME delivers. Donât
let that value get lost.â
âFinally a pragmatic and clear session on
GDPR. Thank you.â
âinspiring and ready to put into actionâ
âno fear, just optimism and concrete
action outlinesâ
11. What data?
Personal data (Active opt-in*)
- Name : Sophie D
- Address : street, N°,city, country
- Mail address : Sophie@Hotmail.com
- Photo
- Biometric info: fingerprints, face reco, âŚ
- Ip-address, Mac-Address
- IQ info
- Profiling info
- Online behaviour
- Location data
- Aliases (twitter, FB, âŚ)
- Combinations leading to potential
identification of a natural person
Sensitive data (Explicit consent)
- Sexual preferences
- Medical info
- Union choice
- Political, religious prefs
- Memberships
- National ID number
*Unless < 16
Company data, info@,
sales@, ⌠are not GDPR
sensitive
17. GDPR rights for citizens
How are you
processing my
data?
What personal
data do you
have?
Please correct
or add
incomplete
data
Please remove
my data
Please stop
using my data
for marketing
Opt me out for
1 specific part
of the
processing
Can I get a
copy of my
data?
I object to a
presumed
automated
decision
What do you
need my data
for?
How long do
you keep my
data
Where do you
store my
personal data?
Your
organisation
23. Data processing â 6 grounds
1 CONSENT
⢠Communicated
upfront
⢠Clear
⢠Fragmented
⢠Recorded
⢠Procedure
⢠Motivated
⢠Relevant
2 CONTRACT
⢠All processing and
data transfert
required to fullfil
the agreement
⢠No additional
consent required
3 LAW
⢠All processing and
data transfert
required by law
⢠No additional
consent required
4 HEALTH
⢠All processing and
data transfert to
assure the health
of an individual or
group
⢠No additional
consent required
5 COMMON
INTEREST
⢠All processing and
data transfert to
assure the
common interest,
security, .. Of a
group
⢠No additional
consent required
6 LEGITIMATE CAUSE
⢠All processing and
data transfert
pondered and
motivated that
serves the
interests of the
subject and the
controller without
conflicts
When processing personal data, always
check if 1 of the 6 answers aside is
applicable
25. functionele omschrijving verwerking gebruikte gegevens en betrokkenen verwerker gegevensuitwisseling technologie risico & beveiligingsmaatregelen rechten betrokkenen status opmerking
identificatieen informatieover de verwerking
nummer, functionele omschrijving, finaliteit,
verwerkingsgrond, type verwerking en
functionelebeschrijving
details over de gegevens die verwerkt worden
en de betrokkenen van wie gegevens verwerkt
worden
functionelecategorie, gevoeligecategorie
gegevensverwerking, categoriebetrokken,
classificatieniveau, bewaartermijn, authentieke
bron
identificatievan de verwerker (extern aan
organisatie) die betrokken is bij de verwerking
naam, nr gegevensverwerkingscontract
informatieover eventuele gegevensuitwisseling
met derde partijen
categorie(ĂŤn)gegevens,categorie(ĂŤn)
ontvangers, derde land/internationale
organisatie, documenten passende waarborgen
beschrijving van de gebruikte technologie,
applicaties, software bij de verwerking
informatie over het risico en de
beveiligingsmaatregelen van de
gegevensverwerking
risico, beschrijving
beveiligingsmaatregelen, documentatie
beveiligingsmaatregelen, GEB (DPIA)
verwijzing naar de documenten die de
procedures ter respectering van de rechten van
de betrokkenen bepalen
informatieover de status van de verwerking: startdatum,
einddatum en plaatsvervangendeverwerking
noteer eventuele opmerkingen/aandachtspunten mbt de
verwerkingsactiviteit
Process
Purpose (why)
Data processed (what)
Retention (how long)
Data processor (who)
Legal ground
What technology is used?
What is the risk?
What rights could be exercised?
Status
Remarks
Be accountable â document your processes
News letter sharing
Send updates via newsletter
Name, mail address
till opt-out by customer
Marketing dpt
Consent (legitimate interest ?)
Mail chimp
low
Correct, get, opt-out, forget
Checking software & process
Ready for May 25
26. Job Applications & Staff
Existing
CLAâs
(61,81,82,89,âŚ)
Check your
HR Agency
Add GDPR
âNDAâ to
contract
29. unlikely low medium high certain
Probability of leaks
negligableminimalsignificanthighcritical
Impactofleaks
⢠Respect for private and
family life, home and
communications
⢠Physical and mental
integrity
⢠Liberty and security
⢠Freedom of thought
⢠Data protection
⢠Freedom to work and
choose an occupation
ÂŤ Risk assessment Âť
Incidents must be reported within 72hrs
30. On premise
Outside (! Outside Europe)
Fixed Mobile
Security = where, what, who, when, how?
List
- devices
- software
- apps
- other?
As you see
them inside the
company and
outside the
company both
fixed and
mobile