Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

General Data Protection Regulation - Mathilde Alzamora - Rakuten group

296 views

Published on

https://www.slideshare.net/recsysfr/an-homophilybased-approach-for-fast-post-recommendation-in-microblogging-systems-quentin-grossetti-lip6

Published in: Law
  • Be the first to comment

  • Be the first to like this

General Data Protection Regulation - Mathilde Alzamora - Rakuten group

  1. 1. Cliquez pour modifier le style du titre The GDPR (General Data Protection Regulation)
  2. 2. Cliquez pour modifier le style du titre In brief 1
  3. 3. Cliquez pour modifier le style du titreWhat is the GDPR? 3 Adopted in April 2016 and applicable as of May, 25th 2018 Replaces all the national legislations about the handling of personal data in Europe Until now, 1995 Directive which had been transposed differently among the EU countries In France, the law « Informatique et libertés » is going to be modified There still will be other differing sources: national case law and national data protection authorities (CNIL) doctrines Still pending: E-privacy Regulation adoption (about cookies and OTT) 12 février 2018
  4. 4. Cliquez pour modifier le style du titreWhy was the GDPR passed? 12 février 2018 4 • Harmonisation of the European rules • To directly target non-European companies making business with EU data • To empower citizens and give them control over their data
  5. 5. Cliquez pour modifier le style du titreWhy is the GDPR important? 5 Fines of up to 4% of the global annual turnover or 20 million euros // Now in France: max fine = 3 million euros Loss of reputation and future customers NGOs can bring claims on behalf of individuals Burden of proof is on the company 12 février 2018
  6. 6. Cliquez pour modifier le style du titreWhen is the GDPR applicable? 6 The GDPR is applicable Yes No The GDPR is not applicable Does your business offer services to the EU? Do you provide your service in any European languages? Does your service use/accept any European currency? Are EU customers specifically addressed? (delivery) Profiling Tracking by cookies or otherwise Analysis of personal preferences / behavior Yes No Yes No Does your business collect, use or process personal data? But other privacy laws may apply Yes Is an office of your business in the EU? No Do you monitor individuals in the EU?
  7. 7. Cliquez pour modifier le style du titre Definitions 2
  8. 8. Cliquez pour modifier le style du titrePersonal data Any information relating to an identified or identifiable natural person (« data subject ») Identifiable person: direct or indirect identification, notably by reference to a name, identification number, location data or other elements specific to his/her identity… Needs to take into account all the means reasonably likely to be used (cost, time, technology) to identify the person Ex: name, address, credit card number, IP address, licence plate, location data, logs, user name, browsing history,… 8CONFIDENTIEL12 février 2018
  9. 9. Cliquez pour modifier le style du titre 9 Any action on a data (collection, storage, consultation, retrieval, erasure,…) The person/company which, alone or jointly, determines the purposes and means of the processing Processing Data controller Making data accessible in other countries as where it was collected (not a simple website). It is forbidden to send data out of the EU except if some contractual measures are taken. Data Transfer The person/company which processes personal data on behalf of the controller (ex: call centers,…) Reversible modification of the data which makes it not attributable to a single person anymore (still a personal data) / All the identifiers are irreversibly removed (not a personal data anymore) Data processor Pseudonymisation/ Anonymisation Other definitions
  10. 10. Cliquez pour modifier le style du titre Main principles 3
  11. 11. Cliquez pour modifier le style du titreLegal Basis explained 11 Each processing activity must be allowed by one of the following grounds: Data processing is necessary for the fulfillment of the contract (ex: name and address to deliver a good) Provided for by a law (ex: communication rights of some authorities (tax or customs)) The data subject can reasonably expect it (ex: fraud prevention) Clear agreement of an informed person (no pre-ticked checkbox) Contract performance Legal obligation Legitimate interest of the data controller Consent
  12. 12. Cliquez pour modifier le style du titreData Protection Main Principles 12 Each processing activity must comply with all of these rules: The individual needs to know why and how his/her data will be used (via the privacy policy). Data can only be collected for defined purposes. These purposes need to be legitimate and clearly mentioned to the data subject. Then data can only be used for the purpose it was collected. Only adequate and relevant data can be collected. No more data than strictly necessary for the achievement of the purpose should be collected. Lawfulness, fairness & transparency Purpose limitation Data Minimisation
  13. 13. Cliquez pour modifier le style du titreData Protection Main Principles 13 Each processing activity must comply with all of these rules: Collected data need to be accurate and kept updated. Inaccurate data need to be rectified or deleted. Data should not be kept for longer than strictly necessary to achieve the purpose. Need to take into account other storage requirements in order to establish a data retention policy (archives). Accuracy Storage limitation Integrity & confidentiality Accountability Data need to be stored in a secure manner. Be able to demonstrate compliance with all these principles (internal procedures).
  14. 14. Cliquez pour modifier le style du titre Other requirements 4
  15. 15. Cliquez pour modifier le style du titreData subjects’ rights 15 • Clearly inform users in the Privacy Policy in easy language • Let people access their data & receive back all data they provided and ask for transferring that data to another company • Individuals can ask for permanent deletion of their data (in some cases) • Right to oppose direct marketing (profiling) 12 février 2018
  16. 16. Cliquez pour modifier le style du titrePrivacy by design & by default 16 • Necessity to take into account data protection principles as of the design of the product/service & during all its lifecycle • Best practices: data minimisation & pseudonymisation Privacy by design • Ensuring that only necessary data are processed by the appropriate persons • Best practices: data minimisation, storage limitation & access management Privacy by default
  17. 17. Cliquez pour modifier le style du titreSecurity requirements • Necessity to conduct a risk analysis and to take into account the caracteristics of the processings to assess which security measures are required. • Examples of good practices : data pseudonymisation & encryption, BCP, audits,… • No real security guidelines: need to adopt the latest security standards to demonstrate compliance. • Necessity to pass on these security requirements to contractors. 17
  18. 18. Cliquez pour modifier le style du titre Conclusion 5
  19. 19. Cliquez pour modifier le style du titreWhat will the GDPR really change? • Accountability principle : less formalities to the DPA but more internal preparatory works (DPIA) and possibly higher fines in case of a control (on-site or online) • Mandatory Data Protection Officer (records of processings) • New obligations to data processors • Security breach notification to the DPA (and even to the users in some cases) 72 hours max after a security incident • New user right: data portability • « Privacy by design » & « privacy by default » to be implemented 1912 février 2018
  20. 20. Cliquez pour modifier le style du titre Questions? mathilde.alzamora@priceminister.com

×