SlideShare a Scribd company logo

Legal obligations and responsibilities of data processors and controllers under the GDPR

Download as PPTX, PDF
IT Governance Ltd
IT Governance Ltd

This webinar covers: -The definitions of ‘data controller’ and ‘data processor’ under the GDPR.​ -The responsibilities and obligations of controllers and processors.​ -The data breach reporting responsibilities of controllers and processors.​ -The liability of, and penalties that may be imposed on, data processors and controllers.​ -The appointment of joint controllers and subcontracting processors The webinar can be found here https://www.youtube.com/watch?v=cyUPGGD3iVg&t=8s

Business
1 of 39
Legal obligations and responsibilities of data processors and controllers under the GDPR Presented by: • Alan Calder, founder and executive chairman, IT Governance 3 August 2017
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Alan Calder • Founder of IT Governance • The single source for IT governance, cyber risk management and IT compliance • IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th Edition (Open University textbook) • www.itgovernance.co.uk • Introduction
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance Ltd: GRC one-stop-shop All verticals, sectors and all organisational sizes
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • The definitions of ‘data controller’ and ‘data processor’ under the GDPR. • The responsibilities and obligations of controllers and processors. • The data breach reporting responsibilities of controllers and processors. • The liability of, and penalties that may be imposed on, data processors and controllers. • The appointment of joint controllers and subcontracting processors. Agenda Copyright IT Governance Ltd 2017 – v1.0
The definitions of ‘data controller’ and ‘data processor’ under the GDPR
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Article 99: Entry into force and application • UK organisations that process the personal data of EU residents have only a short time to make sure that they are compliant. • The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. “This Regulation shall be binding in its entirety and directly applicable in all Member States.” Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679 8 April 2016 Council of the European Union adopted the GDPR 12 April 2016 The GDPR was adopted by the European Parliament. 4 May 2016 The official text of the Regulation was published in the Official Journal of the EU 24 May 2016 The Regulation entered into force 25 May 2018 The GDPR will apply
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(1) ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(7) ‘Controller means the natural or legal person, public authority, agency or any other body that, alone or jointly with others, determines the purposes and means of the processing.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(8) ‘Data processor’ means a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(2) ‘Processing’ means any operation or set of operations that is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
The responsibilities and obligations of controllers and processors
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations To comply with the GDPR, data controllers must determine: • The legal basis for collecting data; • Which items of personal data to collect, i.e. the content of the data; • The purpose or purposes the data is to be used for; • Which individuals to collect data about; • Whether to disclose the data and, if so, to whom; • Whether subject access and other individuals’ rights apply, i.e. the application of exemptions; and • How long to retain the data or whether to make non-routine amendments to the data.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Controller Adhere to codes of conduct Implement technical and organisational measures Implement data protection policies
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Article 28: Processor A legal contract must make sure that the processor: • Processes the personal data only on documented instructions from the controller; • Makes sure that persons authorised to process the personal data observe confidentiality; • Takes appropriate security measures; • Respects the conditions for engaging another processor; • Assists the controller by appropriate technical and organisational measures; • Assists the controller in ensuring compliance with the obligations to the security of processing; • Deletes or returns all the personal data to the controller after the end of the provision of services; and • Makes available to the controller all information necessary to demonstrate compliance with the Regulation.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Within the terms of the agreement with the data controller and their contract, a data processor may decide: • What IT systems or other methods to use to collect personal data; • How to store the personal data; • The detail of the security surrounding the personal data; • The means used to transfer the personal data from one organisation to another; • The means used to retrieve personal data about certain individuals; • The method for making sure a retention schedule is adhered to; and • The means used to delete or dispose of the data.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations • Article 5: Principles relating to processing of personal data • “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” 1 • Processed lawfully, fairly and in a transparent manner 2 • Collected for specified, explicit and legitimate purposes 3 • Adequate, relevant and limited to what is necessary 4 • Accurate and, where necessary, kept up to date 5 • Retained only for as long as necessary 6 • Processed in an appropriate manner to maintain security Accountability
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Article 12, clause 2 (and recital 59): The controller must facilitate the exercise of data subject rights. 1 • The right to be informed. 2 • The right of access. 3 • The right to rectification. 4 • The right to erasure. 5 • The right to restrict processing. 6 • The right to data portability. 7 • The right to object. 8 • Rights in relation to automated decision making and profiling. Responsibilities and obligations
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Article 30: Records of processing activities • The controller or their representative shall maintain a record of processing activities containing all of the following information: – The name and contact details of the controller, joint controller, the controller's representative and data protection officer (DPO); – The purposes of the processing; – A description of the categories of data subjects and of the categories of personal data; – The categories of recipients to whom the personal data has been or will be disclosed; – International transfers of personal data and the documentation of appropriate safeguards; – The envisaged time limits for erasure of the different categories of data; – A general description of the technical and organisational security measures implemented.
The data breach reporting responsibilities of controllers and processors
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities The definition of a personal data breach in the GDPR: • A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data processor to notify the data controller: • Notification without undue delay after becoming aware. • No exemptions. • All data breaches have to be reported.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data controller to notify the supervisory authority: • Notification without undue delay and not later than 72 hours. • Unnecessary in certain circumstances. • Description of the nature of the breach. • No requirement to notify if unlikely to result in a risk to the rights and freedoms of natural persons. • Failure to report within 72 hours must be explained.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data controller to communicate a personal data breach to data subjects: • Communication to the data subject without undue delay if high risk. • Communication in clear plain language. • Supervisory authority may compel communication with the data subject. Exemptions if: • Appropriate technical and organisational measures are taken; • A high risk to a data subject will not materialise; or • Communication with a data subject would involve disproportionate effort.
The liability of, and penalties that may be imposed on, data processors and controllers
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Article 79: Natural persons have rights • Judicial remedy where their rights have been infringed as a result of the processing of personal data.  In the courts of the Member State where the controller or processor has an establishment.  In the courts of the Member State where the data subject habitually resides. • Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. • The controller involved in processing shall be liable for damage caused by processing. Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties • In each case, fines will be effective, proportionate and dissuasive. • Fines administered will take into account technical and organisational measures implemented. • €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. • €20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year. Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Article 83: General conditions for imposing administrative fines • The nature, gravity and duration of the infringement; • The intentional or negligent character of the infringement; • Any action taken by the controller or processor to mitigate the damage suffered by data subjects; • The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them; Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Copyright IT Governance Ltd 2017 – v1.0 Article 82: Right to compensation and liability • Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. • The controller involved in processing shall be liable for damage caused by processing. • The processor is liable only for damage caused by processing or where it has acted contrary to lawful instructions of the controller. • Exemption for the controller and processor where they are not responsible. • Joint and several liability to ensure effective compensation. • Compensation clawback provision.
The appointment of joint controllers and subcontracting processors
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers • When two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. Article 29: Working party guidance • Joint controllers should appoint one establishment, which has the power to implement decisions about processing with respect to all the joint controllers.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers shall: • Determine the responsibilities and obligations in a transparent manner and determine their respective responsibilities for compliance; • Designate a point of contact for exercising the rights of the data subject; and • Decide on the respective duties to: • Provide data subjects with access to the information collected; and • Provide information about the controller where personal data has not been obtained from the data subject.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers • To determine their responsibilities and obligations by means of arrangement. • The arrangement between joint controllers shall be made available to the data subject. Article 26 (3): Liability of joint controllers • Joint controllers are jointly and individually liable. • A joint controller may be exempt from liability if it can prove no responsibility for the data breach.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 27: Representatives of controllers or processors not established in the Union Where the controller or the processor is not established in the Union: • They shall designate in writing a representative in the Union. • A representative shall be established where data processing or profiling resides. • The representative shall be mandated to be addressed by supervisory authorities and data subjects for the purposes of the Regulation. • The designation of a representative does not absolve the controller or processor from legal liabilities.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Subcontracting processors Copyright IT Governance Ltd 2017 – v1.0 Data processors may appoint a sub-processor • Data processors may only process data on behalf of a controller where a written agreement is made between the two parties. • The agreement should outline the obligations and responsibilities, as set out in the GDPR. • Data processors may not engage a sub-processor or contract a data processing service provider without the controller’s authorisation.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Subcontracting processors Copyright IT Governance Ltd 2017 – v1.0 Sub-processors or subcontracted processors shall: • Only process data in accordance with the controller’s instructions; • Maintain records of data processing activities; • Make sure that persons authorised to process the personal data observe confidentiality; • Take appropriate security measures; • Assist the controller by applying appropriate technical and organisational measures; • Assist the controller in ensuring compliance with the obligations to the security of processing; • Delete or return all the personal data to the controller after the end of the provision of services; and • Make available to the controller all information necessary to demonstrate compliance with the Regulation.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Self-help materials A Pocket guide www.itgovernance.co.uk/shop/P roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/Pr oduct/eu-general-data-protection- regulation-gdpr-an- implementation-and-compliance- guide Documentation toolkit www.itgovernance.co.uk/shop/P roduct/eu-general-data- protection-regulation-gdpr- documentation-toolkit Compliance Gap Assessment Tool www.itgovernance.co.uk/shop/Pr oduct/eu-gdpr-compliance-gap- assessment-tool
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Training courses One-day accredited Foundation course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course One-day data protection impact assessment (DPIA) workshop (classroom) www.itgovernance.co.uk/shop/Product/data-protection-impact- assessment-dpia-workshop
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Gap analysis • Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. • Data flow audit • Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. • Information Commissioner notification support (a legal requirement for DPA compliance) • Organisations that process personal data must complete a notification with the Information Commissioner under the DPA. • Implementing a personal information management system (PIMS) • Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. • Implementing an information security management system (ISMS) compliant with ISO 27001 • We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001-compliant ISMS quickly and without hassle, no matter where your business is located. • Cyber Health Check • The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure. IT Governance: GDPR one-stop shop GDPR consultancy
Questions?

Recommended

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Data protection
Data protectionData protection
Data protectionLewis Silkin
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR 2.0 - Data Controllers v Processors
GDPR 2.0 - Data Controllers v ProcessorsGDPR 2.0 - Data Controllers v Processors
GDPR 2.0 - Data Controllers v ProcessorsAdam Wood
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 

Recommended

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Data protection
Data protectionData protection
Data protectionLewis Silkin
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR 2.0 - Data Controllers v Processors
GDPR 2.0 - Data Controllers v ProcessorsGDPR 2.0 - Data Controllers v Processors
GDPR 2.0 - Data Controllers v ProcessorsAdam Wood
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by designTommy Vandepitte
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset SecurityMaganathin Veeraragaloo
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO 27701
ISO 27701ISO 27701
ISO 27701UtkarshDhiman4
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 

More Related Content

What's hot

ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by designTommy Vandepitte
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 

What's hot (20)

GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO 27701
ISO 27701ISO 27701
ISO 27701
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 

Similar to Legal obligations and responsibilities of data processors and controllers under the GDPR

The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
The GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farThe GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farPECB
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementBlack Duck by Synopsys
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
The Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and ProtectionThe Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and ProtectionAtlas_Cloud
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 

Similar to Legal obligations and responsibilities of data processors and controllers under the GDPR (20)

The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
The GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farThe GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so far
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
The Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and ProtectionThe Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and Protection
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 

More from IT Governance Ltd

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security cultureIT Governance Ltd
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardIT Governance Ltd
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...IT Governance Ltd
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 

More from IT Governance Ltd (20)

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programme
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 

Recently uploaded

8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Timedelhimodelshub1
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadAyesha Khan
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 

Recently uploaded (20)

8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Time
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 

Legal obligations and responsibilities of data processors and controllers under the GDPR

  • 1. Legal obligations and responsibilities of data processors and controllers under the GDPR Presented by: • Alan Calder, founder and executive chairman, IT Governance 3 August 2017
  • 2. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Alan Calder • Founder of IT Governance • The single source for IT governance, cyber risk management and IT compliance • IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th Edition (Open University textbook) • www.itgovernance.co.uk • Introduction
  • 3. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance Ltd: GRC one-stop-shop All verticals, sectors and all organisational sizes
  • 4. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • The definitions of ‘data controller’ and ‘data processor’ under the GDPR. • The responsibilities and obligations of controllers and processors. • The data breach reporting responsibilities of controllers and processors. • The liability of, and penalties that may be imposed on, data processors and controllers. • The appointment of joint controllers and subcontracting processors. Agenda Copyright IT Governance Ltd 2017 – v1.0
  • 5. The definitions of ‘data controller’ and ‘data processor’ under the GDPR
  • 6. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Article 99: Entry into force and application • UK organisations that process the personal data of EU residents have only a short time to make sure that they are compliant. • The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. “This Regulation shall be binding in its entirety and directly applicable in all Member States.” Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679 8 April 2016 Council of the European Union adopted the GDPR 12 April 2016 The GDPR was adopted by the European Parliament. 4 May 2016 The official text of the Regulation was published in the Official Journal of the EU 24 May 2016 The Regulation entered into force 25 May 2018 The GDPR will apply
  • 7. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(1) ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly.
  • 8. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(7) ‘Controller means the natural or legal person, public authority, agency or any other body that, alone or jointly with others, determines the purposes and means of the processing.
  • 9. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(8) ‘Data processor’ means a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller.
  • 10. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(2) ‘Processing’ means any operation or set of operations that is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
  • 11. The responsibilities and obligations of controllers and processors
  • 12. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations To comply with the GDPR, data controllers must determine: • The legal basis for collecting data; • Which items of personal data to collect, i.e. the content of the data; • The purpose or purposes the data is to be used for; • Which individuals to collect data about; • Whether to disclose the data and, if so, to whom; • Whether subject access and other individuals’ rights apply, i.e. the application of exemptions; and • How long to retain the data or whether to make non-routine amendments to the data.
  • 13. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Controller Adhere to codes of conduct Implement technical and organisational measures Implement data protection policies
  • 14. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Article 28: Processor A legal contract must make sure that the processor: • Processes the personal data only on documented instructions from the controller; • Makes sure that persons authorised to process the personal data observe confidentiality; • Takes appropriate security measures; • Respects the conditions for engaging another processor; • Assists the controller by appropriate technical and organisational measures; • Assists the controller in ensuring compliance with the obligations to the security of processing; • Deletes or returns all the personal data to the controller after the end of the provision of services; and • Makes available to the controller all information necessary to demonstrate compliance with the Regulation.
  • 15. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Within the terms of the agreement with the data controller and their contract, a data processor may decide: • What IT systems or other methods to use to collect personal data; • How to store the personal data; • The detail of the security surrounding the personal data; • The means used to transfer the personal data from one organisation to another; • The means used to retrieve personal data about certain individuals; • The method for making sure a retention schedule is adhered to; and • The means used to delete or dispose of the data.
  • 16. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations • Article 5: Principles relating to processing of personal data • “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” 1 • Processed lawfully, fairly and in a transparent manner 2 • Collected for specified, explicit and legitimate purposes 3 • Adequate, relevant and limited to what is necessary 4 • Accurate and, where necessary, kept up to date 5 • Retained only for as long as necessary 6 • Processed in an appropriate manner to maintain security Accountability
  • 17. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Article 12, clause 2 (and recital 59): The controller must facilitate the exercise of data subject rights. 1 • The right to be informed. 2 • The right of access. 3 • The right to rectification. 4 • The right to erasure. 5 • The right to restrict processing. 6 • The right to data portability. 7 • The right to object. 8 • Rights in relation to automated decision making and profiling. Responsibilities and obligations
  • 18. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Article 30: Records of processing activities • The controller or their representative shall maintain a record of processing activities containing all of the following information: – The name and contact details of the controller, joint controller, the controller's representative and data protection officer (DPO); – The purposes of the processing; – A description of the categories of data subjects and of the categories of personal data; – The categories of recipients to whom the personal data has been or will be disclosed; – International transfers of personal data and the documentation of appropriate safeguards; – The envisaged time limits for erasure of the different categories of data; – A general description of the technical and organisational security measures implemented.
  • 19. The data breach reporting responsibilities of controllers and processors
  • 20. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities The definition of a personal data breach in the GDPR: • A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • 21. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data processor to notify the data controller: • Notification without undue delay after becoming aware. • No exemptions. • All data breaches have to be reported.
  • 22. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data controller to notify the supervisory authority: • Notification without undue delay and not later than 72 hours. • Unnecessary in certain circumstances. • Description of the nature of the breach. • No requirement to notify if unlikely to result in a risk to the rights and freedoms of natural persons. • Failure to report within 72 hours must be explained.
  • 23. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data controller to communicate a personal data breach to data subjects: • Communication to the data subject without undue delay if high risk. • Communication in clear plain language. • Supervisory authority may compel communication with the data subject. Exemptions if: • Appropriate technical and organisational measures are taken; • A high risk to a data subject will not materialise; or • Communication with a data subject would involve disproportionate effort.
  • 24. The liability of, and penalties that may be imposed on, data processors and controllers
  • 25. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Article 79: Natural persons have rights • Judicial remedy where their rights have been infringed as a result of the processing of personal data.  In the courts of the Member State where the controller or processor has an establishment.  In the courts of the Member State where the data subject habitually resides. • Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. • The controller involved in processing shall be liable for damage caused by processing. Copyright IT Governance Ltd 2017 – v1.0
  • 26. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties • In each case, fines will be effective, proportionate and dissuasive. • Fines administered will take into account technical and organisational measures implemented. • €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. • €20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year. Copyright IT Governance Ltd 2017 – v1.0
  • 27. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Article 83: General conditions for imposing administrative fines • The nature, gravity and duration of the infringement; • The intentional or negligent character of the infringement; • Any action taken by the controller or processor to mitigate the damage suffered by data subjects; • The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them; Copyright IT Governance Ltd 2017 – v1.0
  • 28. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Copyright IT Governance Ltd 2017 – v1.0 Article 82: Right to compensation and liability • Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. • The controller involved in processing shall be liable for damage caused by processing. • The processor is liable only for damage caused by processing or where it has acted contrary to lawful instructions of the controller. • Exemption for the controller and processor where they are not responsible. • Joint and several liability to ensure effective compensation. • Compensation clawback provision.
  • 29. The appointment of joint controllers and subcontracting processors
  • 30. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers • When two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. Article 29: Working party guidance • Joint controllers should appoint one establishment, which has the power to implement decisions about processing with respect to all the joint controllers.
  • 31. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers shall: • Determine the responsibilities and obligations in a transparent manner and determine their respective responsibilities for compliance; • Designate a point of contact for exercising the rights of the data subject; and • Decide on the respective duties to: • Provide data subjects with access to the information collected; and • Provide information about the controller where personal data has not been obtained from the data subject.
  • 32. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers • To determine their responsibilities and obligations by means of arrangement. • The arrangement between joint controllers shall be made available to the data subject. Article 26 (3): Liability of joint controllers • Joint controllers are jointly and individually liable. • A joint controller may be exempt from liability if it can prove no responsibility for the data breach.
  • 33. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 27: Representatives of controllers or processors not established in the Union Where the controller or the processor is not established in the Union: • They shall designate in writing a representative in the Union. • A representative shall be established where data processing or profiling resides. • The representative shall be mandated to be addressed by supervisory authorities and data subjects for the purposes of the Regulation. • The designation of a representative does not absolve the controller or processor from legal liabilities.
  • 34. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Subcontracting processors Copyright IT Governance Ltd 2017 – v1.0 Data processors may appoint a sub-processor • Data processors may only process data on behalf of a controller where a written agreement is made between the two parties. • The agreement should outline the obligations and responsibilities, as set out in the GDPR. • Data processors may not engage a sub-processor or contract a data processing service provider without the controller’s authorisation.
  • 35. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Subcontracting processors Copyright IT Governance Ltd 2017 – v1.0 Sub-processors or subcontracted processors shall: • Only process data in accordance with the controller’s instructions; • Maintain records of data processing activities; • Make sure that persons authorised to process the personal data observe confidentiality; • Take appropriate security measures; • Assist the controller by applying appropriate technical and organisational measures; • Assist the controller in ensuring compliance with the obligations to the security of processing; • Delete or return all the personal data to the controller after the end of the provision of services; and • Make available to the controller all information necessary to demonstrate compliance with the Regulation.
  • 36. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Self-help materials A Pocket guide www.itgovernance.co.uk/shop/P roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/Pr oduct/eu-general-data-protection- regulation-gdpr-an- implementation-and-compliance- guide Documentation toolkit www.itgovernance.co.uk/shop/P roduct/eu-general-data- protection-regulation-gdpr- documentation-toolkit Compliance Gap Assessment Tool www.itgovernance.co.uk/shop/Pr oduct/eu-gdpr-compliance-gap- assessment-tool
  • 37. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Training courses One-day accredited Foundation course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course One-day data protection impact assessment (DPIA) workshop (classroom) www.itgovernance.co.uk/shop/Product/data-protection-impact- assessment-dpia-workshop
  • 38. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Gap analysis • Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. • Data flow audit • Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. • Information Commissioner notification support (a legal requirement for DPA compliance) • Organisations that process personal data must complete a notification with the Information Commissioner under the DPA. • Implementing a personal information management system (PIMS) • Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. • Implementing an information security management system (ISMS) compliant with ISO 27001 • We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001-compliant ISMS quickly and without hassle, no matter where your business is located. • Cyber Health Check • The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure. IT Governance: GDPR one-stop shop GDPR consultancy