4. Terminology
What is personal data?
Any information relating to an identified or identifiable natural
person. Such as name, age, residence, occupation, location, marital
status, natural characteristics, education, job description, interests,
activities, habits, hobbies etc.
The identified or identifiable natural person under the aforementioned
data is called the Data Subject.
5. Terminology
What is sensitive personal data?
Any information regarding the Data Subject including the racial or
ethnic origin, political opinions, religious beliefs or other beliefs of a
similar nature, physical or mental health or condition, sex life, whether
the DS is a member of a trade union, the commission or alleged
commission by the DS of any offence, any proceedings for any offence
committed or alleged to have been committed by him, the sentence of
any court etc.
Sensitive personal data is protected under stricter regulations.
6. Ορολογία
DS: Data Subject - the identified or identifiable natural person whose
data we collect.
DC: Data Controller – the person (or business) who determines the
purposes for which, and the way in which, personal data is processed.
DP: Data Processor – anyone who processes personal data on behalf
of the data controller.
DPO: Data Protection Officer – responsible for overseeing data
protection strategy and implementation to ensure compliance with
GDPR requirements.
8. About the Data (2 questions)
1. Do I have the right to own data?
Note: In any case, I have the right to keep personal data when it is
covered by a legal act (recruitment, financial transaction, invoicing,
contracts and family data, employee’s medical counseling, maternity
and pregnancy leave, civil status, etc.). In such cases I am entitled to
and obliged, by law, to keep data on the data subjects for a minimum
period of 5 – 6 years, for most European countries.
9. About the Data (2 questions)
2. How do I protect the data that I keep?
11. Fines
Fines up to 20 Million Euros or more, but before we start getting that
scared, we may receive...
1. Warnings
2. Reprimands
3. Orders to compliance with the DS’s requests
4. Orders to communicate the data breaches directly to the DS
12. Fines
Categories:
Tier I: 10 Million Euros or 10% of annual turnover (whichever is higher)
- Breaches of Data Controller and Data Processor obligations.
Tier II: 10 Million Euros or 10% of annual turnover (whichever is higher)
- Breaches of DS's rights.
13. Fines
Value of the fines to be imposed is not straightforward and the
organization’s steps to compliance and general behavior will be taken
into account when determining the fine.
Available information is unclear full of jargon.
16. STEP 1 – Data Gathering
Gather, store and organize all your data in one place.
Key Points
• You have to be able to get anyone’s data asap and aaap (accurately), if
ever asked.
• You have to show that you know exactly what data you have on who
and where, if ever investigated by GDPR.
• You have to gather all existing Personal Data.
17.
18. STEP 2 – Data Audit
Audit your data and dispose what you don’t need.
Key Points
• Why do you have other people's data?
• Categorize your data to: not useful anymore, useful but harmless,
useful and risky (medical, financial).
• Delete all data you don't need.
19.
20. STEP 3 – Secure Data
Protect against breaches, hacks, blocks and ransomware,
destruction and deletion of data etc.
Key Points
• Cloud Security
• Active Protection (antivirus, firewall, remote wipe out of data)
• Security for Hard Copies of Data (locked, disaster-proof)
NOT RECOMMENDED due to risk and high costs
• Written Procedures on Safety Measures
21.
22. STEP 4 – Data Policy
Write a clear fair privacy policy.
Key Points
• Document that clearly describes What Data you collect and How You
Use Them.
• Easy Access to the Data Policy (ideally, a link before every submit
button).
• AVOID Technical Language and or Jargon.
23. STEP 4 – Data Policy
Answer the following (all of them):
1. What Information do you collect?
2. Who are you?
3. How is information collected?
4. Why do you collect information?
24. STEP 4 – Data Policy
Answer the following (all of them):
5. How will you use information?
6. Who will you share it with?
7. How are people, whose data you have and process, influenced?
8. Is the intended use likely to cause objections?
25.
26. STEP 5 – Export Data
Setup a process for exporting all data you have on a person.
Key Points
• Provide the requested information within a month and free of
charge.
27.
28. STEP 6 – Update & Delete Data
Setup a process for updating and / or deleting data, if ever
asked by the DS.
29. STEP 6 – Update & Delete Data
DANGER, in case you contact a
person you are supposed to have
no data on anymore!
30.
31. STEP 7 – Positive Opt In, Action & Evidence
We collect data only when the DS proactively submits it!
Key Points
• AVOID pre-checked boxes.
• Clear and visible "Yes, I agree..." checkbox.
• Double opt-in.
• Sign a paper in-person, in case you collect personal data offline.
• Inform all your database about GDPR and encourage subscribers to
re-subscribe or answer back with a copy-paste consenting email.
32.
33. STEP 8 – Easy Opt Out
Make it easy for anyone to opt-out.
Key Points
• Newsletter
• SMS
• Call Centers
• Provide clear opt-out directions with no small print
34. STEP 8 – Easy Opt Out
DANGER, in case you contact
an opted-out person!
35.
36. STEP 9 – Inform
Make sure everyone in your company knows about GDPR.
Make sure customers and vendors also know about GDPR
and review your contracts with them.
Key Points
• Send informative emails.
• Train everyone.
• Assign responsibilities to a Data Protection Officer (DPO) in case your
organization consists of more than 250 employees.
39. Data Ownership
SHOULD I BUY DATA?
Make sure the Provider Company is GDPR compliant and each and
every DS in the dataset has actively opted-in for their data to be stored
by a third party company.
In practice, it is advisable not to buy!
40. Data Ownership
MAYBE I SELL MY BUSINESS ONE DAY! WHAT ABOUT THE
DATA?
There has to be a clear-cut section in your Data Policy stating that in
case of a buying off, all data will be in possession of the new owner.
When that day comes, you should inform the new owner about your
existing data policies and the fact that he has no right to use them in
any other way.
41. Are you GDPR Compliant?
Andreas Batsis, Digital Strategy & Cloud Security Solutions