The EU General Data Protection Regulation (GDPR) replaces the previous data privacy directive and takes effect in 42 days. It gives individuals more control over their personal data and shifts the burden to organizations to demonstrate compliance [with individuals' data privacy rights]. The GDPR has wider scope and applies to any organization that processes personal data. It establishes greater rights for individuals and the potential for much larger fines for noncompliance. To prepare, organizations should undertake an information audit, update their policies and procedures, conduct staff training, and implement security measures to ensure proper processing and protection of personal data.

1. EU GENERAL DATA PROTECTION
REGULATIONS (GDPR) – FIRST STEPS

2. qGDPR replaces Directive 95/46/EC
and builds on existing DPA 1998
qDesigned to give individuals more
control over the use of their personal
data
qExplicitly shifts emphasis onto data
controllers demonstrating
compliance
qSpecific obligation on data
processors
qChanges in the way the organisation
process personal data
The EU General Data Protection
Regulation (GDPR) is the most
important change in data privacy
regulation in 20 years.
TIME UNTIL GDPR ENFORCEMENT:
42 days and counting…

3. 3
qApplies to activities which an organisation
does which amounts to the:
q‘Processing’ of ‘Personal Data’ (PD) of a natural
person (living individual)
Changes?
qGDPR definitions/scope are wider
qMain aim to protect rights of individuals – more
rights
qProcessor has defined obligations
qExcessive fines for not complying with GDPR
WHICH ORGANISATIONS?
Likely to apply to all organisations

4. 4
q“Personal data” means: any information
relating to an identified or identifiable
natural person ("data subject");
qIncludes:
Name, Address, Location data, Online identifiers,
Cookies, IP address, any factor specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that person.
PERSONAL DATA
Name: Laura Kao
Born: 22.06.86
Student ID: 6715
22 Loft Road etc.
j.chan@email.com
British
Buddhist
Partially sighted
Blood Group: A
Laura Kao’s photo

5. 5
q"Processing" means any operation or set of
operations performed upon personal data
or sets of personal data, whether or not by
automated means, such as:
Collection, recording, organisation, storage …
erasure or destruction
qIncludes everything – also misuse of information
PROCESSING

6. 6
“Controller" means the natural or legal person, public authority,
agency or any other body which alone or jointly with others
determines the purposes and means of the
processing of personal data…;
Examples:
q A bank collects the data of its clients when they open an
account.
q A law firm collects data when opening a client’s file.
q A retail outlet collects data to provide a customer with an
online receipt.
CONTROLLER

7. 7
“Natural or legal person, public authority, agency or
other body which processes personal data on behalf
of the controller”
qData centres; Document management companies; or Any
company which is outsourced to do work on behalf of the
Controller
Wider responsibilities:
q Processor can be liable for damage under the contract with Controller –
if does not act upon instructions
q Processor must maintain records re: processing of Personal data.
q Processor to provide Controller with guarantees that it is GDPR
compliant
PROCESSOR

9. 9
qRight to be informed regarding their PD
qRight to have access to their PD – ‘SAR’
qRight to rectify their PD
qRight to have their PD deleted – ‘right to be
forgotten’
qRight to restrict processing
qRight to data portability
qRight to object to automated decision
making, marketing and profiling
GDPR – GREATER RIGHTS TO INDIVIDUALS
Controller Data Subjects

10. 10
RISKS
Once the personal data has been obtained…
Risks!
Risks!
Risks!
Loss of personal data

11. 11
q10 million Euro or 2% of the gross annual turnover for the
preceding year
q20 million EURO or 4% of gross annual global turnover
NON-COMPLIANCE – FINES!

12. 12
Training and Awareness
qStaff must be trained both on
law, policies and procedure
qThis applies also to directors
and stakeholders
STEPS TOWARDS COMPLIANCE

13. 13
Know what data you have, where it came from and
who you are sharing it with, why are you sharing
qWhere is the data you process and how are they
protected?
qWho provides the data?
qLawful processing conditions?
qWho do you share data with? Purpose? Security ?
qAre the key principles being complied with?
INFORMATION AUDIT

14. 14
qProtecting CIA (confidentiality, Integrity and Availability) of data
qTrain staff on their roles and responsibilities
qDesign security control based on risk assessment.
qFollow ‘Need to Know’ and ‘Least Privilege’ principle for access
control
qHave appropriate technical and organisational measure
qEnsure ‘Accountability’ for all actions
qSecurity by Design & default and DPIA
SECURE PROCESSING

15. 15
qPrivacy Notice, Information Security, Data Protection, AUP
qConsent Procedure and Withdrawal – remember children!
qSAR procedure, notices and record, complaint procedure
qData Portability Procedure
qData Protection Notification Breach
qSub-contracting Processing, Data Protection Assessment
POLICIES, NOTICES, PROCEDURES UPDATE

16. 16
qPolicies/procedures
qEmployees awareness
qInternal Reporting Procedure
qBreach Management Process
qBreach high risk ?
qReport to Supervisory Authority/ICO
qIf risk is high to individual then Controller must report to
Data Subject/s without undue delay
DATA BREACH NOTIFICATION

17. 17
Potential Benefits
qIncreased customer trust /
loyalty
qClean House
qIncreased level of security
qPositive effect on brand
qIncreased revenue potential
qReal business driver
BENEFITS AND IMPACTS OF GDPR
Impact of Non-Compliance
qFinancial Penalty from ICO
qOther financial loss i.e loss
of revenue, incident
management cost
qImpact to data subject
qReputational impact
qOrganisational Risk

18. THANK YOU
More information about QA’s Cyber Practice can be found at qa.com/cyber
More information about QA’s GDPR courses can be found at qa.com/GDPR