SlideShare a Scribd company logo
EU Privacy Laws and Start-Ups
EXOVE 2017
About Exove
● Digital design and development
company in Finland, Estonia, and the UK
● Full service portfolio from business
consulting and service design to
development and care
● We serve both multinational giants and
new start-ups alike
● Start-up sweat equity investments
through Exove Ventures
● We deliver digital growth
More about us:
● www.exove.com
● www.exove.com/gdpr
● @exove
About Janne Kalliola
● Founder and CEO of Exove
○ Continuent, First Hop, SSH, HUT
● Been coding since 1983, first web stuff in
1994
● Major involvements in start-ups - Golf
Gamebook, Scoopshot, Eazybreak, Blyk,
Jaiku
More about me:
● www.kallio.la
● linkedin.com/in/jannekalliola
● @plastic
Agenda
● EU Privacy - General Data Protection Regulation in a nutshell
○ Background
○ New rights for individuals
○ New requirements for companies
● What to do?
○ Practical approach
● Questions & answers
General Data Protection
Regulation
GDPR?
General Data Protection Regulation
Is the EU’s new privacy regulation that harmonises the managing personal
data in the member states and gives new rights to the individuals.
Replaces old directive (95/46/EC) that is outdated and implemented
differently in member states.
GDPR in a Nutshell
● GDPR is a regulation, thus it is in
force in all member states without
local legislation
● Needs local legislation to be
compatible with the regulation and
allows a lot of locally adjustable
details
● Adds rights to individuals and
responsibilities to companies
● Applies to all companies -
worldwide - that process
personal data of an EU resident
● GDPR is in force already
● We are currently on a transition
period that ends on May 25th,
2018
● GDPR imposes administrative
sanctions that can be
considerable
Two Data Handling Roles
Controller
● The company collecting the data
and controlling its usage
● Responsible for and able to
demonstrate compliance with
the regulation
○ Including also work done by
processors
Processor
● A company that processes
personal data on behalf of a
controller
● Must be contractually bound
to the controller and follow
written orders
● Must return or delete data
when contract ends
Broad Definition of Personal Data
● GDPR broadens the definition of personal data:
○ Any information concerning an identified or identifiable natural person -
such as name, telephone number, email address, car license plate,
dynamic IP address
○ Pseudonymized data that can be reversed to identifiable with additional
data
● GPDR also defines sensitive data that must be handled with special care
○ Political affiliation, health records, genetic & biometric data, etc.
● Children are identified as vulnerable individuals that require specific
protection
○ Consent given by person with parental responsibility for the child
Other Major Concepts
● Transparency and consent - The individuals need to know how and why
their data is used, and companies need to have valid reason for the data
usage
○ Several valid reasons, such as contractual, legal, and based on consent
○ If consent is given, it can be withdrawn anytime
● Privacy by design and default - Systems need to be designed to take
privacy into account from the very beginning
● Accountability - Organisations must be able to proof that they are following
the regulation, i.e. reversed burden of proof
○ Requires process documentation, paper trails of decisions, and in some
cases privacy impact assessments
Rights of the Individuals (1/2)
● Access to data - The individuals must be able to see the data
collected about them
○ By request that needs to be followed in a month - there are
extensions for some cases, in commonly used electronic format.
○ First copy must be free of charge
● Rectification of inaccurate data - The individuals can ask inaccurate
data to be corrected
● Right of erasure - The individuals can ask data to be removed
● Object of processing - The individuals can stop specific kind of
processing, for example, direct marketing
Rights of the Individuals (1/2)
● Portability - The individuals have right to have their data ported to
them or to another service
● Restricting processing - The individuals can ask to stop processing
their data for a period of time.
○ Data can also be temporarily removed in this case
● Profiling and automated decision-taking - Profiling based on
sensitive data requires explicit consent and the individuals can
request manual intervention of automated decision-taking that cause
them significant effects
Data Transfers
● Transfers outside EEA (European Economic Area) are restricted, but
not forbidden
● Transfers require adequate level of data protection, such as following
EU model clauses
● Number of safe countries whose regulation provides similar
protection of personal data as GDPR
● Safe Harbor is now replaced with Privacy Shield, a brand new deal to
self-certify US companies to allow hosting data regulated by the
GDPR
Data Breaches
● Processors need to inform the controller “without undue delay after
becoming aware of it”, without exceptions
● Controllers need to inform the authorities within 72 hours after
becoming aware of the breach
● In some cases, the controller will need to inform the data subjects
about the breach
Implications for UX
● Consent is more regulated than before
○ Needs to be specific and unambigious, cannot be part of other
written agreements
○ Must be active - i.e. no preticked checkboxes
○ Must be reversable
○ Record of the given content is required
○ Consent cannot be required for a service that works also without
processing personal data
● Privacy policy is more important than before
○ Data has to have storage times, and a lot of other tidbits
Changes in Contracting
● Controller must have written contract with every processor
○ Responsibility goes to the end of the subcontracting chain
● The contract has mandatory clauses stipulated by GDPR
● The actions done by a processor must be defined in writing
What Now?
My Advice
● This is for real, so better be prepared
● Start now, soon you are late
● Everything that you do now should already be compliant with GDPR
○ Pay attention to your data architecture
○ Think of user rights and how they are implemented
● Train your people
● Get external help, if you do not know how to proceed
You Need to Know Where You Stand
● You need to understand GDPR and its effects to your organisation
● You must understand how data flows in your systems
○ Where, what and why data is stored
○ Check whether data is flowing out of EU or to another controller
● You must have defined and followed procedures for handling personal data
○ These are typically mostly non-existent in start-ups
● You need to have written contracts with all your partners related to personal
data
● You need to be moving now and be compliant by May 25th, 2018
○ There might be some leeway, but I would not count on it
● And if you do nothing, you are just asking for troubles
Our Proposal
● Exove has partnered with Bird & Bird to tackle GDPR challenges within
big and small organisations
● Together, we are able to handle legal, processual, and technical issues
simultaneously
The work is split into two parts:
○ Gap analysis - understanding your current position and the gap
towards the compliance by structured and tailored interviews,
workshop and gap analysis
○ Compliance program - a complete undertaking to ensure GDPR
compliance in your company
Gap Analysis
Description
Bird&Bird asks the juridical questions and
Exove focuses on ICT. The questionnaires
are sent typically to people responsible for
ICT, HR, legal and business
Bird&Bird and Exove study the results and
write an analysis of the situation
Bird&Bird and Exove organise a three hour
workshop with the key people of the client
OPTION: The report is gone through with
the client and the situation is assessed to
understand how the client will reach legally
and technically required compliant state.
Contents Results
Report with around ten point list of the
current situation and action points.
Offer for executing a GDPR compliance
program
IT Juridical
Analysis
Workshop
GDPR compliance program
Compliance Program
● Bird & Bird and Exove plan and execute a complete compliance
program
● Based on the gap analysis findings, industry of the client, and assessed
risks
● Includes changes to processes, documentation, technology, UX, and
contracts
● The depth of the work is to be agreed on case by case basis
Questions & Answers
Thank You!
EXOVE
Janne Kalliola
janne@exove.com
+358 40 558 1796

More Related Content

What's hot

Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
12 steps to gdpr compliance unleashed
12 steps to gdpr compliance   unleashed12 steps to gdpr compliance   unleashed
12 steps to gdpr compliance unleashed
Chris Gilmour
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality
Susan Moran
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
Zoodikers
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)
Huub de Jong
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
GrittyCC
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
Frederick Penaud
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
Rachel Aldighieri
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
RAKESH S
 
What is the new data protection regulation GDPR and why should you care? Jesp...
What is the new data protection regulation GDPR and why should you care? Jesp...What is the new data protection regulation GDPR and why should you care? Jesp...
What is the new data protection regulation GDPR and why should you care? Jesp...
Exove
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR Overview
Gydeline Ltd
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal update
Rachel Aldighieri
 

What's hot (18)

Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
12 steps to gdpr compliance unleashed
12 steps to gdpr compliance   unleashed12 steps to gdpr compliance   unleashed
12 steps to gdpr compliance unleashed
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
What is the new data protection regulation GDPR and why should you care? Jesp...
What is the new data protection regulation GDPR and why should you care? Jesp...What is the new data protection regulation GDPR and why should you care? Jesp...
What is the new data protection regulation GDPR and why should you care? Jesp...
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR Overview
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal update
 

Similar to EU Privacy Laws and Start-Ups

Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
A Brief Overview on GDPR
A Brief Overview on GDPRA Brief Overview on GDPR
A Brief Overview on GDPR
Neha Patel
 
The Right Steps to Becoming GDPR Compliant
The Right Steps to Becoming GDPR CompliantThe Right Steps to Becoming GDPR Compliant
The Right Steps to Becoming GDPR Compliant
WSO2
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
Terry Gorry
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
Are you GDPR compliant?
Are you GDPR compliant? Are you GDPR compliant?
Are you GDPR compliant?
TrekkSoft
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Burton Lee
 
Data breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processorsData breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processors
Exove
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR Privacy Introduction
GDPR Privacy IntroductionGDPR Privacy Introduction
GDPR Privacy Introduction
NiclasGranqvist
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firms
accenture
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality  GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality
Tommy Kearns
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr compliance
Asanka Nissanka
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
NCVO - National Council for Voluntary Organisations
 
Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR  Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR
Yieldify
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Dieter Hovorka
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 

Similar to EU Privacy Laws and Start-Ups (20)

Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
A Brief Overview on GDPR
A Brief Overview on GDPRA Brief Overview on GDPR
A Brief Overview on GDPR
 
The Right Steps to Becoming GDPR Compliant
The Right Steps to Becoming GDPR CompliantThe Right Steps to Becoming GDPR Compliant
The Right Steps to Becoming GDPR Compliant
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
Are you GDPR compliant?
Are you GDPR compliant? Are you GDPR compliant?
Are you GDPR compliant?
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
 
Data breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processorsData breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processors
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
GDPR Privacy Introduction
GDPR Privacy IntroductionGDPR Privacy Introduction
GDPR Privacy Introduction
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firms
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality  GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr compliance
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
 
Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR  Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
 

More from Exove

Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
Exove
 
Provisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – ExoveProvisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – Exove
Exove
 
Advanced custom fields in Wordpress
Advanced custom fields in WordpressAdvanced custom fields in Wordpress
Advanced custom fields in Wordpress
Exove
 
Introduction to Robot Framework – Exove
Introduction to Robot Framework – ExoveIntroduction to Robot Framework – Exove
Introduction to Robot Framework – Exove
Exove
 
Jenkins and visual regression – Exove
Jenkins and visual regression – ExoveJenkins and visual regression – Exove
Jenkins and visual regression – Exove
Exove
 
Server-side React with Headless CMS – Exove
Server-side React with Headless CMS – ExoveServer-side React with Headless CMS – Exove
Server-side React with Headless CMS – Exove
Exove
 
WebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – ExoveWebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – Exove
Exove
 
Diversity in recruitment
Diversity in recruitmentDiversity in recruitment
Diversity in recruitment
Exove
 
Saavutettavuus liiketoimintana
Saavutettavuus liiketoimintanaSaavutettavuus liiketoimintana
Saavutettavuus liiketoimintana
Exove
 
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistustaSaavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Exove
 
Mitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisälläänMitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisällään
Exove
 
Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8
Exove
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developers
Exove
 
Managing Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with DrupalManaging Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with Drupal
Exove
 
Life with digital services after GDPR
Life with digital services after GDPRLife with digital services after GDPR
Life with digital services after GDPR
Exove
 
GDPR - no beginning no end
GDPR - no beginning no endGDPR - no beginning no end
GDPR - no beginning no end
Exove
 
Developing truly personalised experiences
Developing truly personalised experiencesDeveloping truly personalised experiences
Developing truly personalised experiences
Exove
 
Customer Experience and Personalisation
Customer Experience and PersonalisationCustomer Experience and Personalisation
Customer Experience and Personalisation
Exove
 
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Exove
 
Dataohjattu asiakaskokemus
Dataohjattu asiakaskokemusDataohjattu asiakaskokemus
Dataohjattu asiakaskokemus
Exove
 

More from Exove (20)

Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
 
Provisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – ExoveProvisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – Exove
 
Advanced custom fields in Wordpress
Advanced custom fields in WordpressAdvanced custom fields in Wordpress
Advanced custom fields in Wordpress
 
Introduction to Robot Framework – Exove
Introduction to Robot Framework – ExoveIntroduction to Robot Framework – Exove
Introduction to Robot Framework – Exove
 
Jenkins and visual regression – Exove
Jenkins and visual regression – ExoveJenkins and visual regression – Exove
Jenkins and visual regression – Exove
 
Server-side React with Headless CMS – Exove
Server-side React with Headless CMS – ExoveServer-side React with Headless CMS – Exove
Server-side React with Headless CMS – Exove
 
WebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – ExoveWebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – Exove
 
Diversity in recruitment
Diversity in recruitmentDiversity in recruitment
Diversity in recruitment
 
Saavutettavuus liiketoimintana
Saavutettavuus liiketoimintanaSaavutettavuus liiketoimintana
Saavutettavuus liiketoimintana
 
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistustaSaavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
 
Mitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisälläänMitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisällään
 
Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developers
 
Managing Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with DrupalManaging Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with Drupal
 
Life with digital services after GDPR
Life with digital services after GDPRLife with digital services after GDPR
Life with digital services after GDPR
 
GDPR - no beginning no end
GDPR - no beginning no endGDPR - no beginning no end
GDPR - no beginning no end
 
Developing truly personalised experiences
Developing truly personalised experiencesDeveloping truly personalised experiences
Developing truly personalised experiences
 
Customer Experience and Personalisation
Customer Experience and PersonalisationCustomer Experience and Personalisation
Customer Experience and Personalisation
 
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
 
Dataohjattu asiakaskokemus
Dataohjattu asiakaskokemusDataohjattu asiakaskokemus
Dataohjattu asiakaskokemus
 

Recently uploaded

Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Bert Blevins
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
MarceloMiranda38200
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
Vijayananda Mohire
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
Comparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdfComparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdf
Andrey Yasko
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
Gen-AI in Telcos: Strategies, Challenges & Impact
Gen-AI in Telcos: Strategies, Challenges & ImpactGen-AI in Telcos: Strategies, Challenges & Impact
Gen-AI in Telcos: Strategies, Challenges & Impact
aejazahamed4
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
Toru Tamaki
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
Safe Software
 
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
WriteMe
 

Recently uploaded (20)

Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
Comparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdfComparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdf
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 
Gen-AI in Telcos: Strategies, Challenges & Impact
Gen-AI in Telcos: Strategies, Challenges & ImpactGen-AI in Telcos: Strategies, Challenges & Impact
Gen-AI in Telcos: Strategies, Challenges & Impact
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
 
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
 

EU Privacy Laws and Start-Ups

  • 1. EU Privacy Laws and Start-Ups EXOVE 2017
  • 2. About Exove ● Digital design and development company in Finland, Estonia, and the UK ● Full service portfolio from business consulting and service design to development and care ● We serve both multinational giants and new start-ups alike ● Start-up sweat equity investments through Exove Ventures ● We deliver digital growth More about us: ● www.exove.com ● www.exove.com/gdpr ● @exove
  • 3. About Janne Kalliola ● Founder and CEO of Exove ○ Continuent, First Hop, SSH, HUT ● Been coding since 1983, first web stuff in 1994 ● Major involvements in start-ups - Golf Gamebook, Scoopshot, Eazybreak, Blyk, Jaiku More about me: ● www.kallio.la ● linkedin.com/in/jannekalliola ● @plastic
  • 4. Agenda ● EU Privacy - General Data Protection Regulation in a nutshell ○ Background ○ New rights for individuals ○ New requirements for companies ● What to do? ○ Practical approach ● Questions & answers
  • 6. GDPR? General Data Protection Regulation Is the EU’s new privacy regulation that harmonises the managing personal data in the member states and gives new rights to the individuals. Replaces old directive (95/46/EC) that is outdated and implemented differently in member states.
  • 7. GDPR in a Nutshell ● GDPR is a regulation, thus it is in force in all member states without local legislation ● Needs local legislation to be compatible with the regulation and allows a lot of locally adjustable details ● Adds rights to individuals and responsibilities to companies ● Applies to all companies - worldwide - that process personal data of an EU resident ● GDPR is in force already ● We are currently on a transition period that ends on May 25th, 2018 ● GDPR imposes administrative sanctions that can be considerable
  • 8. Two Data Handling Roles Controller ● The company collecting the data and controlling its usage ● Responsible for and able to demonstrate compliance with the regulation ○ Including also work done by processors Processor ● A company that processes personal data on behalf of a controller ● Must be contractually bound to the controller and follow written orders ● Must return or delete data when contract ends
  • 9. Broad Definition of Personal Data ● GDPR broadens the definition of personal data: ○ Any information concerning an identified or identifiable natural person - such as name, telephone number, email address, car license plate, dynamic IP address ○ Pseudonymized data that can be reversed to identifiable with additional data ● GPDR also defines sensitive data that must be handled with special care ○ Political affiliation, health records, genetic & biometric data, etc. ● Children are identified as vulnerable individuals that require specific protection ○ Consent given by person with parental responsibility for the child
  • 10. Other Major Concepts ● Transparency and consent - The individuals need to know how and why their data is used, and companies need to have valid reason for the data usage ○ Several valid reasons, such as contractual, legal, and based on consent ○ If consent is given, it can be withdrawn anytime ● Privacy by design and default - Systems need to be designed to take privacy into account from the very beginning ● Accountability - Organisations must be able to proof that they are following the regulation, i.e. reversed burden of proof ○ Requires process documentation, paper trails of decisions, and in some cases privacy impact assessments
  • 11. Rights of the Individuals (1/2) ● Access to data - The individuals must be able to see the data collected about them ○ By request that needs to be followed in a month - there are extensions for some cases, in commonly used electronic format. ○ First copy must be free of charge ● Rectification of inaccurate data - The individuals can ask inaccurate data to be corrected ● Right of erasure - The individuals can ask data to be removed ● Object of processing - The individuals can stop specific kind of processing, for example, direct marketing
  • 12. Rights of the Individuals (1/2) ● Portability - The individuals have right to have their data ported to them or to another service ● Restricting processing - The individuals can ask to stop processing their data for a period of time. ○ Data can also be temporarily removed in this case ● Profiling and automated decision-taking - Profiling based on sensitive data requires explicit consent and the individuals can request manual intervention of automated decision-taking that cause them significant effects
  • 13. Data Transfers ● Transfers outside EEA (European Economic Area) are restricted, but not forbidden ● Transfers require adequate level of data protection, such as following EU model clauses ● Number of safe countries whose regulation provides similar protection of personal data as GDPR ● Safe Harbor is now replaced with Privacy Shield, a brand new deal to self-certify US companies to allow hosting data regulated by the GDPR
  • 14. Data Breaches ● Processors need to inform the controller “without undue delay after becoming aware of it”, without exceptions ● Controllers need to inform the authorities within 72 hours after becoming aware of the breach ● In some cases, the controller will need to inform the data subjects about the breach
  • 15. Implications for UX ● Consent is more regulated than before ○ Needs to be specific and unambigious, cannot be part of other written agreements ○ Must be active - i.e. no preticked checkboxes ○ Must be reversable ○ Record of the given content is required ○ Consent cannot be required for a service that works also without processing personal data ● Privacy policy is more important than before ○ Data has to have storage times, and a lot of other tidbits
  • 16. Changes in Contracting ● Controller must have written contract with every processor ○ Responsibility goes to the end of the subcontracting chain ● The contract has mandatory clauses stipulated by GDPR ● The actions done by a processor must be defined in writing
  • 18. My Advice ● This is for real, so better be prepared ● Start now, soon you are late ● Everything that you do now should already be compliant with GDPR ○ Pay attention to your data architecture ○ Think of user rights and how they are implemented ● Train your people ● Get external help, if you do not know how to proceed
  • 19. You Need to Know Where You Stand ● You need to understand GDPR and its effects to your organisation ● You must understand how data flows in your systems ○ Where, what and why data is stored ○ Check whether data is flowing out of EU or to another controller ● You must have defined and followed procedures for handling personal data ○ These are typically mostly non-existent in start-ups ● You need to have written contracts with all your partners related to personal data ● You need to be moving now and be compliant by May 25th, 2018 ○ There might be some leeway, but I would not count on it ● And if you do nothing, you are just asking for troubles
  • 20. Our Proposal ● Exove has partnered with Bird & Bird to tackle GDPR challenges within big and small organisations ● Together, we are able to handle legal, processual, and technical issues simultaneously The work is split into two parts: ○ Gap analysis - understanding your current position and the gap towards the compliance by structured and tailored interviews, workshop and gap analysis ○ Compliance program - a complete undertaking to ensure GDPR compliance in your company
  • 21. Gap Analysis Description Bird&Bird asks the juridical questions and Exove focuses on ICT. The questionnaires are sent typically to people responsible for ICT, HR, legal and business Bird&Bird and Exove study the results and write an analysis of the situation Bird&Bird and Exove organise a three hour workshop with the key people of the client OPTION: The report is gone through with the client and the situation is assessed to understand how the client will reach legally and technically required compliant state. Contents Results Report with around ten point list of the current situation and action points. Offer for executing a GDPR compliance program IT Juridical Analysis Workshop GDPR compliance program
  • 22. Compliance Program ● Bird & Bird and Exove plan and execute a complete compliance program ● Based on the gap analysis findings, industry of the client, and assessed risks ● Includes changes to processes, documentation, technology, UX, and contracts ● The depth of the work is to be agreed on case by case basis