SlideShare a Scribd company logo
EU Privacy Laws and Start-Ups
EXOVE 2017
About Exove
● Digital design and development
company in Finland, Estonia, and the UK
● Full service portfolio from business
consulting and service design to
development and care
● We serve both multinational giants and
new start-ups alike
● Start-up sweat equity investments
through Exove Ventures
● We deliver digital growth
More about us:
● www.exove.com
● www.exove.com/gdpr
● @exove
About Janne Kalliola
● Founder and CEO of Exove
○ Continuent, First Hop, SSH, HUT
● Been coding since 1983, first web stuff in
1994
● Major involvements in start-ups - Golf
Gamebook, Scoopshot, Eazybreak, Blyk,
Jaiku
More about me:
● www.kallio.la
● linkedin.com/in/jannekalliola
● @plastic
Agenda
● EU Privacy - General Data Protection Regulation in a nutshell
○ Background
○ New rights for individuals
○ New requirements for companies
● What to do?
○ Practical approach
● Questions & answers
General Data Protection
Regulation
GDPR?
General Data Protection Regulation
Is the EU’s new privacy regulation that harmonises the managing personal
data in the member states and gives new rights to the individuals.
Replaces old directive (95/46/EC) that is outdated and implemented
differently in member states.
GDPR in a Nutshell
● GDPR is a regulation, thus it is in
force in all member states without
local legislation
● Needs local legislation to be
compatible with the regulation and
allows a lot of locally adjustable
details
● Adds rights to individuals and
responsibilities to companies
● Applies to all companies -
worldwide - that process
personal data of an EU resident
● GDPR is in force already
● We are currently on a transition
period that ends on May 25th,
2018
● GDPR imposes administrative
sanctions that can be
considerable
Two Data Handling Roles
Controller
● The company collecting the data
and controlling its usage
● Responsible for and able to
demonstrate compliance with
the regulation
○ Including also work done by
processors
Processor
● A company that processes
personal data on behalf of a
controller
● Must be contractually bound
to the controller and follow
written orders
● Must return or delete data
when contract ends
Broad Definition of Personal Data
● GDPR broadens the definition of personal data:
○ Any information concerning an identified or identifiable natural person -
such as name, telephone number, email address, car license plate,
dynamic IP address
○ Pseudonymized data that can be reversed to identifiable with additional
data
● GPDR also defines sensitive data that must be handled with special care
○ Political affiliation, health records, genetic & biometric data, etc.
● Children are identified as vulnerable individuals that require specific
protection
○ Consent given by person with parental responsibility for the child
Other Major Concepts
● Transparency and consent - The individuals need to know how and why
their data is used, and companies need to have valid reason for the data
usage
○ Several valid reasons, such as contractual, legal, and based on consent
○ If consent is given, it can be withdrawn anytime
● Privacy by design and default - Systems need to be designed to take
privacy into account from the very beginning
● Accountability - Organisations must be able to proof that they are following
the regulation, i.e. reversed burden of proof
○ Requires process documentation, paper trails of decisions, and in some
cases privacy impact assessments
Rights of the Individuals (1/2)
● Access to data - The individuals must be able to see the data
collected about them
○ By request that needs to be followed in a month - there are
extensions for some cases, in commonly used electronic format.
○ First copy must be free of charge
● Rectification of inaccurate data - The individuals can ask inaccurate
data to be corrected
● Right of erasure - The individuals can ask data to be removed
● Object of processing - The individuals can stop specific kind of
processing, for example, direct marketing
Rights of the Individuals (1/2)
● Portability - The individuals have right to have their data ported to
them or to another service
● Restricting processing - The individuals can ask to stop processing
their data for a period of time.
○ Data can also be temporarily removed in this case
● Profiling and automated decision-taking - Profiling based on
sensitive data requires explicit consent and the individuals can
request manual intervention of automated decision-taking that cause
them significant effects
Data Transfers
● Transfers outside EEA (European Economic Area) are restricted, but
not forbidden
● Transfers require adequate level of data protection, such as following
EU model clauses
● Number of safe countries whose regulation provides similar
protection of personal data as GDPR
● Safe Harbor is now replaced with Privacy Shield, a brand new deal to
self-certify US companies to allow hosting data regulated by the
GDPR
Data Breaches
● Processors need to inform the controller “without undue delay after
becoming aware of it”, without exceptions
● Controllers need to inform the authorities within 72 hours after
becoming aware of the breach
● In some cases, the controller will need to inform the data subjects
about the breach
Implications for UX
● Consent is more regulated than before
○ Needs to be specific and unambigious, cannot be part of other
written agreements
○ Must be active - i.e. no preticked checkboxes
○ Must be reversable
○ Record of the given content is required
○ Consent cannot be required for a service that works also without
processing personal data
● Privacy policy is more important than before
○ Data has to have storage times, and a lot of other tidbits
Changes in Contracting
● Controller must have written contract with every processor
○ Responsibility goes to the end of the subcontracting chain
● The contract has mandatory clauses stipulated by GDPR
● The actions done by a processor must be defined in writing
What Now?
My Advice
● This is for real, so better be prepared
● Start now, soon you are late
● Everything that you do now should already be compliant with GDPR
○ Pay attention to your data architecture
○ Think of user rights and how they are implemented
● Train your people
● Get external help, if you do not know how to proceed
You Need to Know Where You Stand
● You need to understand GDPR and its effects to your organisation
● You must understand how data flows in your systems
○ Where, what and why data is stored
○ Check whether data is flowing out of EU or to another controller
● You must have defined and followed procedures for handling personal data
○ These are typically mostly non-existent in start-ups
● You need to have written contracts with all your partners related to personal
data
● You need to be moving now and be compliant by May 25th, 2018
○ There might be some leeway, but I would not count on it
● And if you do nothing, you are just asking for troubles
Our Proposal
● Exove has partnered with Bird & Bird to tackle GDPR challenges within
big and small organisations
● Together, we are able to handle legal, processual, and technical issues
simultaneously
The work is split into two parts:
○ Gap analysis - understanding your current position and the gap
towards the compliance by structured and tailored interviews,
workshop and gap analysis
○ Compliance program - a complete undertaking to ensure GDPR
compliance in your company
Gap Analysis
Description
Bird&Bird asks the juridical questions and
Exove focuses on ICT. The questionnaires
are sent typically to people responsible for
ICT, HR, legal and business
Bird&Bird and Exove study the results and
write an analysis of the situation
Bird&Bird and Exove organise a three hour
workshop with the key people of the client
OPTION: The report is gone through with
the client and the situation is assessed to
understand how the client will reach legally
and technically required compliant state.
Contents Results
Report with around ten point list of the
current situation and action points.
Offer for executing a GDPR compliance
program
IT Juridical
Analysis
Workshop
GDPR compliance program
Compliance Program
● Bird & Bird and Exove plan and execute a complete compliance
program
● Based on the gap analysis findings, industry of the client, and assessed
risks
● Includes changes to processes, documentation, technology, UX, and
contracts
● The depth of the work is to be agreed on case by case basis
Questions & Answers
Thank You!
EXOVE
Janne Kalliola
janne@exove.com
+358 40 558 1796

More Related Content

What's hot

Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
12 steps to gdpr compliance unleashed
12 steps to gdpr compliance   unleashed12 steps to gdpr compliance   unleashed
12 steps to gdpr compliance unleashed
Chris Gilmour
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality
Susan Moran
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
Zoodikers
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)
Huub de Jong
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
GrittyCC
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
Frederick Penaud
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
Rachel Aldighieri
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
RAKESH S
 
What is the new data protection regulation GDPR and why should you care? Jesp...
What is the new data protection regulation GDPR and why should you care? Jesp...What is the new data protection regulation GDPR and why should you care? Jesp...
What is the new data protection regulation GDPR and why should you care? Jesp...
Exove
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR Overview
Gydeline Ltd
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal update
Rachel Aldighieri
 

What's hot (18)

Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
12 steps to gdpr compliance unleashed
12 steps to gdpr compliance   unleashed12 steps to gdpr compliance   unleashed
12 steps to gdpr compliance unleashed
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
What is the new data protection regulation GDPR and why should you care? Jesp...
What is the new data protection regulation GDPR and why should you care? Jesp...What is the new data protection regulation GDPR and why should you care? Jesp...
What is the new data protection regulation GDPR and why should you care? Jesp...
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR Overview
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal update
 

Similar to EU Privacy Laws and Start-Ups

Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
A Brief Overview on GDPR
A Brief Overview on GDPRA Brief Overview on GDPR
A Brief Overview on GDPR
Neha Patel
 
The Right Steps to Becoming GDPR Compliant
The Right Steps to Becoming GDPR CompliantThe Right Steps to Becoming GDPR Compliant
The Right Steps to Becoming GDPR Compliant
WSO2
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
Terry Gorry
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
Are you GDPR compliant?
Are you GDPR compliant? Are you GDPR compliant?
Are you GDPR compliant?
TrekkSoft
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Burton Lee
 
Data breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processorsData breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processors
Exove
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR Privacy Introduction
GDPR Privacy IntroductionGDPR Privacy Introduction
GDPR Privacy Introduction
NiclasGranqvist
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firms
accenture
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality  GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality
Tommy Kearns
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr compliance
Asanka Nissanka
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
NCVO - National Council for Voluntary Organisations
 
Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR  Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR
Yieldify
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Dieter Hovorka
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 

Similar to EU Privacy Laws and Start-Ups (20)

Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
A Brief Overview on GDPR
A Brief Overview on GDPRA Brief Overview on GDPR
A Brief Overview on GDPR
 
The Right Steps to Becoming GDPR Compliant
The Right Steps to Becoming GDPR CompliantThe Right Steps to Becoming GDPR Compliant
The Right Steps to Becoming GDPR Compliant
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
Are you GDPR compliant?
Are you GDPR compliant? Are you GDPR compliant?
Are you GDPR compliant?
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
 
Data breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processorsData breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processors
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
GDPR Privacy Introduction
GDPR Privacy IntroductionGDPR Privacy Introduction
GDPR Privacy Introduction
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firms
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality  GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr compliance
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
 
Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR  Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
 

More from Exove

Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
Exove
 
Provisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – ExoveProvisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – Exove
Exove
 
Advanced custom fields in Wordpress
Advanced custom fields in WordpressAdvanced custom fields in Wordpress
Advanced custom fields in Wordpress
Exove
 
Introduction to Robot Framework – Exove
Introduction to Robot Framework – ExoveIntroduction to Robot Framework – Exove
Introduction to Robot Framework – Exove
Exove
 
Jenkins and visual regression – Exove
Jenkins and visual regression – ExoveJenkins and visual regression – Exove
Jenkins and visual regression – Exove
Exove
 
Server-side React with Headless CMS – Exove
Server-side React with Headless CMS – ExoveServer-side React with Headless CMS – Exove
Server-side React with Headless CMS – Exove
Exove
 
WebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – ExoveWebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – Exove
Exove
 
Diversity in recruitment
Diversity in recruitmentDiversity in recruitment
Diversity in recruitment
Exove
 
Saavutettavuus liiketoimintana
Saavutettavuus liiketoimintanaSaavutettavuus liiketoimintana
Saavutettavuus liiketoimintana
Exove
 
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistustaSaavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Exove
 
Mitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisälläänMitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisällään
Exove
 
Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8
Exove
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developers
Exove
 
Managing Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with DrupalManaging Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with Drupal
Exove
 
Life with digital services after GDPR
Life with digital services after GDPRLife with digital services after GDPR
Life with digital services after GDPR
Exove
 
GDPR - no beginning no end
GDPR - no beginning no endGDPR - no beginning no end
GDPR - no beginning no end
Exove
 
Developing truly personalised experiences
Developing truly personalised experiencesDeveloping truly personalised experiences
Developing truly personalised experiences
Exove
 
Customer Experience and Personalisation
Customer Experience and PersonalisationCustomer Experience and Personalisation
Customer Experience and Personalisation
Exove
 
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Exove
 
Dataohjattu asiakaskokemus
Dataohjattu asiakaskokemusDataohjattu asiakaskokemus
Dataohjattu asiakaskokemus
Exove
 

More from Exove (20)

Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
 
Provisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – ExoveProvisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – Exove
 
Advanced custom fields in Wordpress
Advanced custom fields in WordpressAdvanced custom fields in Wordpress
Advanced custom fields in Wordpress
 
Introduction to Robot Framework – Exove
Introduction to Robot Framework – ExoveIntroduction to Robot Framework – Exove
Introduction to Robot Framework – Exove
 
Jenkins and visual regression – Exove
Jenkins and visual regression – ExoveJenkins and visual regression – Exove
Jenkins and visual regression – Exove
 
Server-side React with Headless CMS – Exove
Server-side React with Headless CMS – ExoveServer-side React with Headless CMS – Exove
Server-side React with Headless CMS – Exove
 
WebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – ExoveWebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – Exove
 
Diversity in recruitment
Diversity in recruitmentDiversity in recruitment
Diversity in recruitment
 
Saavutettavuus liiketoimintana
Saavutettavuus liiketoimintanaSaavutettavuus liiketoimintana
Saavutettavuus liiketoimintana
 
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistustaSaavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
 
Mitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisälläänMitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisällään
 
Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developers
 
Managing Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with DrupalManaging Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with Drupal
 
Life with digital services after GDPR
Life with digital services after GDPRLife with digital services after GDPR
Life with digital services after GDPR
 
GDPR - no beginning no end
GDPR - no beginning no endGDPR - no beginning no end
GDPR - no beginning no end
 
Developing truly personalised experiences
Developing truly personalised experiencesDeveloping truly personalised experiences
Developing truly personalised experiences
 
Customer Experience and Personalisation
Customer Experience and PersonalisationCustomer Experience and Personalisation
Customer Experience and Personalisation
 
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
 
Dataohjattu asiakaskokemus
Dataohjattu asiakaskokemusDataohjattu asiakaskokemus
Dataohjattu asiakaskokemus
 

Recently uploaded

Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 

Recently uploaded (20)

Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 

EU Privacy Laws and Start-Ups

  • 1. EU Privacy Laws and Start-Ups EXOVE 2017
  • 2. About Exove ● Digital design and development company in Finland, Estonia, and the UK ● Full service portfolio from business consulting and service design to development and care ● We serve both multinational giants and new start-ups alike ● Start-up sweat equity investments through Exove Ventures ● We deliver digital growth More about us: ● www.exove.com ● www.exove.com/gdpr ● @exove
  • 3. About Janne Kalliola ● Founder and CEO of Exove ○ Continuent, First Hop, SSH, HUT ● Been coding since 1983, first web stuff in 1994 ● Major involvements in start-ups - Golf Gamebook, Scoopshot, Eazybreak, Blyk, Jaiku More about me: ● www.kallio.la ● linkedin.com/in/jannekalliola ● @plastic
  • 4. Agenda ● EU Privacy - General Data Protection Regulation in a nutshell ○ Background ○ New rights for individuals ○ New requirements for companies ● What to do? ○ Practical approach ● Questions & answers
  • 6. GDPR? General Data Protection Regulation Is the EU’s new privacy regulation that harmonises the managing personal data in the member states and gives new rights to the individuals. Replaces old directive (95/46/EC) that is outdated and implemented differently in member states.
  • 7. GDPR in a Nutshell ● GDPR is a regulation, thus it is in force in all member states without local legislation ● Needs local legislation to be compatible with the regulation and allows a lot of locally adjustable details ● Adds rights to individuals and responsibilities to companies ● Applies to all companies - worldwide - that process personal data of an EU resident ● GDPR is in force already ● We are currently on a transition period that ends on May 25th, 2018 ● GDPR imposes administrative sanctions that can be considerable
  • 8. Two Data Handling Roles Controller ● The company collecting the data and controlling its usage ● Responsible for and able to demonstrate compliance with the regulation ○ Including also work done by processors Processor ● A company that processes personal data on behalf of a controller ● Must be contractually bound to the controller and follow written orders ● Must return or delete data when contract ends
  • 9. Broad Definition of Personal Data ● GDPR broadens the definition of personal data: ○ Any information concerning an identified or identifiable natural person - such as name, telephone number, email address, car license plate, dynamic IP address ○ Pseudonymized data that can be reversed to identifiable with additional data ● GPDR also defines sensitive data that must be handled with special care ○ Political affiliation, health records, genetic & biometric data, etc. ● Children are identified as vulnerable individuals that require specific protection ○ Consent given by person with parental responsibility for the child
  • 10. Other Major Concepts ● Transparency and consent - The individuals need to know how and why their data is used, and companies need to have valid reason for the data usage ○ Several valid reasons, such as contractual, legal, and based on consent ○ If consent is given, it can be withdrawn anytime ● Privacy by design and default - Systems need to be designed to take privacy into account from the very beginning ● Accountability - Organisations must be able to proof that they are following the regulation, i.e. reversed burden of proof ○ Requires process documentation, paper trails of decisions, and in some cases privacy impact assessments
  • 11. Rights of the Individuals (1/2) ● Access to data - The individuals must be able to see the data collected about them ○ By request that needs to be followed in a month - there are extensions for some cases, in commonly used electronic format. ○ First copy must be free of charge ● Rectification of inaccurate data - The individuals can ask inaccurate data to be corrected ● Right of erasure - The individuals can ask data to be removed ● Object of processing - The individuals can stop specific kind of processing, for example, direct marketing
  • 12. Rights of the Individuals (1/2) ● Portability - The individuals have right to have their data ported to them or to another service ● Restricting processing - The individuals can ask to stop processing their data for a period of time. ○ Data can also be temporarily removed in this case ● Profiling and automated decision-taking - Profiling based on sensitive data requires explicit consent and the individuals can request manual intervention of automated decision-taking that cause them significant effects
  • 13. Data Transfers ● Transfers outside EEA (European Economic Area) are restricted, but not forbidden ● Transfers require adequate level of data protection, such as following EU model clauses ● Number of safe countries whose regulation provides similar protection of personal data as GDPR ● Safe Harbor is now replaced with Privacy Shield, a brand new deal to self-certify US companies to allow hosting data regulated by the GDPR
  • 14. Data Breaches ● Processors need to inform the controller “without undue delay after becoming aware of it”, without exceptions ● Controllers need to inform the authorities within 72 hours after becoming aware of the breach ● In some cases, the controller will need to inform the data subjects about the breach
  • 15. Implications for UX ● Consent is more regulated than before ○ Needs to be specific and unambigious, cannot be part of other written agreements ○ Must be active - i.e. no preticked checkboxes ○ Must be reversable ○ Record of the given content is required ○ Consent cannot be required for a service that works also without processing personal data ● Privacy policy is more important than before ○ Data has to have storage times, and a lot of other tidbits
  • 16. Changes in Contracting ● Controller must have written contract with every processor ○ Responsibility goes to the end of the subcontracting chain ● The contract has mandatory clauses stipulated by GDPR ● The actions done by a processor must be defined in writing
  • 18. My Advice ● This is for real, so better be prepared ● Start now, soon you are late ● Everything that you do now should already be compliant with GDPR ○ Pay attention to your data architecture ○ Think of user rights and how they are implemented ● Train your people ● Get external help, if you do not know how to proceed
  • 19. You Need to Know Where You Stand ● You need to understand GDPR and its effects to your organisation ● You must understand how data flows in your systems ○ Where, what and why data is stored ○ Check whether data is flowing out of EU or to another controller ● You must have defined and followed procedures for handling personal data ○ These are typically mostly non-existent in start-ups ● You need to have written contracts with all your partners related to personal data ● You need to be moving now and be compliant by May 25th, 2018 ○ There might be some leeway, but I would not count on it ● And if you do nothing, you are just asking for troubles
  • 20. Our Proposal ● Exove has partnered with Bird & Bird to tackle GDPR challenges within big and small organisations ● Together, we are able to handle legal, processual, and technical issues simultaneously The work is split into two parts: ○ Gap analysis - understanding your current position and the gap towards the compliance by structured and tailored interviews, workshop and gap analysis ○ Compliance program - a complete undertaking to ensure GDPR compliance in your company
  • 21. Gap Analysis Description Bird&Bird asks the juridical questions and Exove focuses on ICT. The questionnaires are sent typically to people responsible for ICT, HR, legal and business Bird&Bird and Exove study the results and write an analysis of the situation Bird&Bird and Exove organise a three hour workshop with the key people of the client OPTION: The report is gone through with the client and the situation is assessed to understand how the client will reach legally and technically required compliant state. Contents Results Report with around ten point list of the current situation and action points. Offer for executing a GDPR compliance program IT Juridical Analysis Workshop GDPR compliance program
  • 22. Compliance Program ● Bird & Bird and Exove plan and execute a complete compliance program ● Based on the gap analysis findings, industry of the client, and assessed risks ● Includes changes to processes, documentation, technology, UX, and contracts ● The depth of the work is to be agreed on case by case basis