Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lecture 1: what is the gdpr


Published on

What is the GDPR?

Published in: Education
  • Be the first to comment

  • Be the first to like this

Lecture 1: what is the gdpr

  1. 1. Lecture 1 What is the GDPR? Introduction to the New EU Regulation: Key Principles and Changes
  2. 2. In this lecture, you will learn: 1. What is the GDPR and what are its main requirements? 2. Does my organization need to comply with the new regulation? 3. What broad changes does the new regulation introduce? 4. What common business practices will need to change?
  3. 3. What is the GDPR? • EU General Data Protection Regulation (1995) – replaced by two new laws: • Regulation (EU) 2016/679 of the European Parliament “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” • Directive (EU) 2016/680 (governs European law enforcement)
  4. 4. Why new laws? • 2012 – European Commission proposal for a comprehensive reform of data protection • Goals: • “give citizens back control over their personal data, and simplify the regulatory environment for business” • Clarify individual rights in the digital age • Create a “Digital Single Market” within the EU
  5. 5. Regulation (EU) 2016/679 • Codifies the protection of personal data pertaining to all people within the EU • Adopted on April 27, 2016 • Enters into force May 25, 2018
  6. 6. Regulation (EU) 2016/679 Underlying principle: Protection of personal data is a fundamental right • Individual data subjects have fundamental rights • Organizations that handle personal data are responsible to provide for data subjects’ rights
  7. 7. What is personal data? Data pertaining to an “identified or identifiable natural person” • Includes online identifiers (IP addresses, cookie identifiers)
  8. 8. What is processing of personal data? Collecting Storing Structuring Retrieving Using Disclosing Disposing
  9. 9. Who are controllers and processors? • Controller determines the purpose and means of processing personal data; usually the collector of data • Processors are engaged to process data on behalf of the controller • Controllers are responsible to monitor processors’ compliance
  10. 10. Does my company need to comply with the new regulation? • The Regulation applies to: • All organizations established in the EU that process personal data • Processing of personal data by organizations outside the EU that are offering goods or services to people in the EU, or that are monitoring the behaviour of people within the EU (e.g., online tracking)
  11. 11. Key Principles of the Regulation Limitation of processing Informed Consent Lawful processing
  12. 12. Limitation of Processing • Personal data must be processed only for specified, explicit and legitimate purposes • Data must not be further processed in ways inconsistent with the initial purposes • Data should be adequate, relevant, and necessary • Data should be accurate and kept up-to-date where necessary • Data should be kept only as long as necessary
  13. 13. Informed Consent • A clear, affirmative act • “freely given, specific, informed and unambiguous” • Information related to consent should be clearly distinguishable from other information in a notice • Information must be intelligible, easily accessible, in clear and plain language • Right to withdraw consent • Services cannot be withheld on condition of consent
  14. 14. Age of Consent • Age of consent for information society services (e.g., social media) is 16 unless a lower age (not lower than 13) is specified by an EU member state • Parental consent required for children
  15. 15. Lawful Processing • One of the following conditions must be met: • Consent from the data subject • Processing is necessary for a contract • Processing is necessary for compliance with EU laws • Processing is necessary to protect a person’s vital interests • Processing in the public interest or exercise of official authority • Legitimate interests of the controller or a third party that are not overridden by the data subject’s rights and freedoms
  16. 16. Special Categories of Data • Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, in addition to genetic data, biometric data for the purpose of identification, data concerning a person’s health, sex life or sexual orientation • Need data subject’s consent, except in certain legal, medical, and public health contexts
  17. 17. Key Changes: New Rights and Obligations From European Commission Fact Sheet: Questions and Answers – Data Protection Reform. 21 Dec. 2015
  18. 18. Key Changes 1. Right to be Forgotten 2. Informed Consent 3. Right to Data Portability 4. Individual Breach Notification 5. Data Protection by Design and by Default 6. Mandatory Data Protection Officer 7. Penalties
  19. 19. Right to Be Forgotten • Personal data should be deleted when the data subject no longer wants it to be processed, unless there is a legitimate reason to retain the data (e.g., to complete a contract or comply with legal obligations)
  20. 20. Informed Consent • More information is to be made available to persons, in clear and plain language, about how their personal data will be processed • Will be enforced especially with regard to services intended for children • Informed consent must be indicated by a clear affirmative action
  21. 21. Right to Data Portability • Data subjects have a right to a copy of their personal data in an appropriate format, and where possible, to transfer their data directly from one service provider to another • E.g., individuals should be able to transfer their photos from one social network to another
  22. 22. Individual Breach Notification • Data subjects have a right to be notified personally of data breaches that pose a risk to their rights and freedoms, without undue delay
  23. 23. Data Protection by Design and by Default • Mandates the implementation of data protection by design and by default • Recommends technical safeguards such as anonymization, pseudonymization, and encryption as well as organizational safeguards
  24. 24. Mandatory Data Protection Officer (DPO) • Under Article 37, a DPO appointment is required if an organization’s core activities consist of regular and systematic monitoring of personal data on a large scale (both data controllers and processors) • Also where profiling or processing special categories of data • Precise credentials are not provided, but the DPO sould have “expert knowledge of data protection law and practices.”
  25. 25. Data Protection Officer Responsibilities • Informing and advising the organization of their obligations to comply with the GDPR and other data protection laws. • Monitoring compliance with the GDPR and other privacy laws, including managing internal data protection activities, training data processing staff, and conducting internal audits. • Advising or conducting data protection impact assessments (DPIAs) • Working and cooperating with the controller’s or processor’s designated supervisory authority and acting as the contact point for the supervisory authority on issues relating to the processing of personal data. • Being available for inquiries from data subjects
  26. 26. Penalties • Violation of key provisions can be punished by fines of up to €20 million or 4% of worldwide annual turnover for the preceding financial year, whichever is greater • Burden is on the data controller to prove no liability
  27. 27. How companies are responding: • Stop buying and selling personal data (e.g., email lists, customer data, social media data) • Know where your clients live (or implement EU requirements across the board) • Prepare to respond to requests from data subjects (e.g., access, rectification, erasure) • Audit sub-contractors for compliance • Reconsider cloud services