Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

EU Privacy Laws and Start-Ups

503 views

Published on

European Union Privacy Laws - General Data Protection Regulation (GDPR) - has deep impacts also on start-ups and early stage companies. This sessions provides basic info about GDPR and how to deal with it.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

EU Privacy Laws and Start-Ups

  1. 1. EU Privacy Laws and Start-Ups EXOVE 2017
  2. 2. About Exove ● Digital design and development company in Finland, Estonia, and the UK ● Full service portfolio from business consulting and service design to development and care ● We serve both multinational giants and new start-ups alike ● Start-up sweat equity investments through Exove Ventures ● We deliver digital growth More about us: ● www.exove.com ● www.exove.com/gdpr ● @exove
  3. 3. About Janne Kalliola ● Founder and CEO of Exove ○ Continuent, First Hop, SSH, HUT ● Been coding since 1983, first web stuff in 1994 ● Major involvements in start-ups - Golf Gamebook, Scoopshot, Eazybreak, Blyk, Jaiku More about me: ● www.kallio.la ● linkedin.com/in/jannekalliola ● @plastic
  4. 4. Agenda ● EU Privacy - General Data Protection Regulation in a nutshell ○ Background ○ New rights for individuals ○ New requirements for companies ● What to do? ○ Practical approach ● Questions & answers
  5. 5. General Data Protection Regulation
  6. 6. GDPR? General Data Protection Regulation Is the EU’s new privacy regulation that harmonises the managing personal data in the member states and gives new rights to the individuals. Replaces old directive (95/46/EC) that is outdated and implemented differently in member states.
  7. 7. GDPR in a Nutshell ● GDPR is a regulation, thus it is in force in all member states without local legislation ● Needs local legislation to be compatible with the regulation and allows a lot of locally adjustable details ● Adds rights to individuals and responsibilities to companies ● Applies to all companies - worldwide - that process personal data of an EU resident ● GDPR is in force already ● We are currently on a transition period that ends on May 25th, 2018 ● GDPR imposes administrative sanctions that can be considerable
  8. 8. Two Data Handling Roles Controller ● The company collecting the data and controlling its usage ● Responsible for and able to demonstrate compliance with the regulation ○ Including also work done by processors Processor ● A company that processes personal data on behalf of a controller ● Must be contractually bound to the controller and follow written orders ● Must return or delete data when contract ends
  9. 9. Broad Definition of Personal Data ● GDPR broadens the definition of personal data: ○ Any information concerning an identified or identifiable natural person - such as name, telephone number, email address, car license plate, dynamic IP address ○ Pseudonymized data that can be reversed to identifiable with additional data ● GPDR also defines sensitive data that must be handled with special care ○ Political affiliation, health records, genetic & biometric data, etc. ● Children are identified as vulnerable individuals that require specific protection ○ Consent given by person with parental responsibility for the child
  10. 10. Other Major Concepts ● Transparency and consent - The individuals need to know how and why their data is used, and companies need to have valid reason for the data usage ○ Several valid reasons, such as contractual, legal, and based on consent ○ If consent is given, it can be withdrawn anytime ● Privacy by design and default - Systems need to be designed to take privacy into account from the very beginning ● Accountability - Organisations must be able to proof that they are following the regulation, i.e. reversed burden of proof ○ Requires process documentation, paper trails of decisions, and in some cases privacy impact assessments
  11. 11. Rights of the Individuals (1/2) ● Access to data - The individuals must be able to see the data collected about them ○ By request that needs to be followed in a month - there are extensions for some cases, in commonly used electronic format. ○ First copy must be free of charge ● Rectification of inaccurate data - The individuals can ask inaccurate data to be corrected ● Right of erasure - The individuals can ask data to be removed ● Object of processing - The individuals can stop specific kind of processing, for example, direct marketing
  12. 12. Rights of the Individuals (1/2) ● Portability - The individuals have right to have their data ported to them or to another service ● Restricting processing - The individuals can ask to stop processing their data for a period of time. ○ Data can also be temporarily removed in this case ● Profiling and automated decision-taking - Profiling based on sensitive data requires explicit consent and the individuals can request manual intervention of automated decision-taking that cause them significant effects
  13. 13. Data Transfers ● Transfers outside EEA (European Economic Area) are restricted, but not forbidden ● Transfers require adequate level of data protection, such as following EU model clauses ● Number of safe countries whose regulation provides similar protection of personal data as GDPR ● Safe Harbor is now replaced with Privacy Shield, a brand new deal to self-certify US companies to allow hosting data regulated by the GDPR
  14. 14. Data Breaches ● Processors need to inform the controller “without undue delay after becoming aware of it”, without exceptions ● Controllers need to inform the authorities within 72 hours after becoming aware of the breach ● In some cases, the controller will need to inform the data subjects about the breach
  15. 15. Implications for UX ● Consent is more regulated than before ○ Needs to be specific and unambigious, cannot be part of other written agreements ○ Must be active - i.e. no preticked checkboxes ○ Must be reversable ○ Record of the given content is required ○ Consent cannot be required for a service that works also without processing personal data ● Privacy policy is more important than before ○ Data has to have storage times, and a lot of other tidbits
  16. 16. Changes in Contracting ● Controller must have written contract with every processor ○ Responsibility goes to the end of the subcontracting chain ● The contract has mandatory clauses stipulated by GDPR ● The actions done by a processor must be defined in writing
  17. 17. What Now?
  18. 18. My Advice ● This is for real, so better be prepared ● Start now, soon you are late ● Everything that you do now should already be compliant with GDPR ○ Pay attention to your data architecture ○ Think of user rights and how they are implemented ● Train your people ● Get external help, if you do not know how to proceed
  19. 19. You Need to Know Where You Stand ● You need to understand GDPR and its effects to your organisation ● You must understand how data flows in your systems ○ Where, what and why data is stored ○ Check whether data is flowing out of EU or to another controller ● You must have defined and followed procedures for handling personal data ○ These are typically mostly non-existent in start-ups ● You need to have written contracts with all your partners related to personal data ● You need to be moving now and be compliant by May 25th, 2018 ○ There might be some leeway, but I would not count on it ● And if you do nothing, you are just asking for troubles
  20. 20. Our Proposal ● Exove has partnered with Bird & Bird to tackle GDPR challenges within big and small organisations ● Together, we are able to handle legal, processual, and technical issues simultaneously The work is split into two parts: ○ Gap analysis - understanding your current position and the gap towards the compliance by structured and tailored interviews, workshop and gap analysis ○ Compliance program - a complete undertaking to ensure GDPR compliance in your company
  21. 21. Gap Analysis Description Bird&Bird asks the juridical questions and Exove focuses on ICT. The questionnaires are sent typically to people responsible for ICT, HR, legal and business Bird&Bird and Exove study the results and write an analysis of the situation Bird&Bird and Exove organise a three hour workshop with the key people of the client OPTION: The report is gone through with the client and the situation is assessed to understand how the client will reach legally and technically required compliant state. Contents Results Report with around ten point list of the current situation and action points. Offer for executing a GDPR compliance program IT Juridical Analysis Workshop GDPR compliance program
  22. 22. Compliance Program ● Bird & Bird and Exove plan and execute a complete compliance program ● Based on the gap analysis findings, industry of the client, and assessed risks ● Includes changes to processes, documentation, technology, UX, and contracts ● The depth of the work is to be agreed on case by case basis
  23. 23. Questions & Answers
  24. 24. Thank You! EXOVE Janne Kalliola janne@exove.com +358 40 558 1796

×