European Union Privacy Laws - General Data Protection Regulation (GDPR) - has deep impacts also on start-ups and early stage companies. This sessions provides basic info about GDPR and how to deal with it.

1. EU Privacy Laws and Start-Ups
EXOVE 2017

2. About Exove
● Digital design and development
company in Finland, Estonia, and the UK
● Full service portfolio from business
consulting and service design to
development and care
● We serve both multinational giants and
new start-ups alike
● Start-up sweat equity investments
through Exove Ventures
● We deliver digital growth
More about us:
● www.exove.com
● www.exove.com/gdpr
● @exove

3. About Janne Kalliola
● Founder and CEO of Exove
○ Continuent, First Hop, SSH, HUT
● Been coding since 1983, first web stuff in
1994
● Major involvements in start-ups - Golf
Gamebook, Scoopshot, Eazybreak, Blyk,
Jaiku
More about me:
● www.kallio.la
● linkedin.com/in/jannekalliola
● @plastic

4. Agenda
● EU Privacy - General Data Protection Regulation in a nutshell
○ Background
○ New rights for individuals
○ New requirements for companies
● What to do?
○ Practical approach
● Questions & answers

5. General Data Protection
Regulation

6. GDPR?
General Data Protection Regulation
Is the EU’s new privacy regulation that harmonises the managing personal
data in the member states and gives new rights to the individuals.
Replaces old directive (95/46/EC) that is outdated and implemented
differently in member states.

7. GDPR in a Nutshell
● GDPR is a regulation, thus it is in
force in all member states without
local legislation
● Needs local legislation to be
compatible with the regulation and
allows a lot of locally adjustable
details
● Adds rights to individuals and
responsibilities to companies
● Applies to all companies -
worldwide - that process
personal data of an EU resident
● GDPR is in force already
● We are currently on a transition
period that ends on May 25th,
2018
● GDPR imposes administrative
sanctions that can be
considerable

8. Two Data Handling Roles
Controller
● The company collecting the data
and controlling its usage
● Responsible for and able to
demonstrate compliance with
the regulation
○ Including also work done by
processors
Processor
● A company that processes
personal data on behalf of a
controller
● Must be contractually bound
to the controller and follow
written orders
● Must return or delete data
when contract ends

9. Broad Definition of Personal Data
● GDPR broadens the definition of personal data:
○ Any information concerning an identified or identifiable natural person -
such as name, telephone number, email address, car license plate,
dynamic IP address
○ Pseudonymized data that can be reversed to identifiable with additional
data
● GPDR also defines sensitive data that must be handled with special care
○ Political affiliation, health records, genetic & biometric data, etc.
● Children are identified as vulnerable individuals that require specific
protection
○ Consent given by person with parental responsibility for the child

10. Other Major Concepts
● Transparency and consent - The individuals need to know how and why
their data is used, and companies need to have valid reason for the data
usage
○ Several valid reasons, such as contractual, legal, and based on consent
○ If consent is given, it can be withdrawn anytime
● Privacy by design and default - Systems need to be designed to take
privacy into account from the very beginning
● Accountability - Organisations must be able to proof that they are following
the regulation, i.e. reversed burden of proof
○ Requires process documentation, paper trails of decisions, and in some
cases privacy impact assessments

11. Rights of the Individuals (1/2)
● Access to data - The individuals must be able to see the data
collected about them
○ By request that needs to be followed in a month - there are
extensions for some cases, in commonly used electronic format.
○ First copy must be free of charge
● Rectification of inaccurate data - The individuals can ask inaccurate
data to be corrected
● Right of erasure - The individuals can ask data to be removed
● Object of processing - The individuals can stop specific kind of
processing, for example, direct marketing

12. Rights of the Individuals (1/2)
● Portability - The individuals have right to have their data ported to
them or to another service
● Restricting processing - The individuals can ask to stop processing
their data for a period of time.
○ Data can also be temporarily removed in this case
● Profiling and automated decision-taking - Profiling based on
sensitive data requires explicit consent and the individuals can
request manual intervention of automated decision-taking that cause
them significant effects

13. Data Transfers
● Transfers outside EEA (European Economic Area) are restricted, but
not forbidden
● Transfers require adequate level of data protection, such as following
EU model clauses
● Number of safe countries whose regulation provides similar
protection of personal data as GDPR
● Safe Harbor is now replaced with Privacy Shield, a brand new deal to
self-certify US companies to allow hosting data regulated by the
GDPR

14. Data Breaches
● Processors need to inform the controller “without undue delay after
becoming aware of it”, without exceptions
● Controllers need to inform the authorities within 72 hours after
becoming aware of the breach
● In some cases, the controller will need to inform the data subjects
about the breach

15. Implications for UX
● Consent is more regulated than before
○ Needs to be specific and unambigious, cannot be part of other
written agreements
○ Must be active - i.e. no preticked checkboxes
○ Must be reversable
○ Record of the given content is required
○ Consent cannot be required for a service that works also without
processing personal data
● Privacy policy is more important than before
○ Data has to have storage times, and a lot of other tidbits

16. Changes in Contracting
● Controller must have written contract with every processor
○ Responsibility goes to the end of the subcontracting chain
● The contract has mandatory clauses stipulated by GDPR
● The actions done by a processor must be defined in writing

17. What Now?

18. My Advice
● This is for real, so better be prepared
● Start now, soon you are late
● Everything that you do now should already be compliant with GDPR
○ Pay attention to your data architecture
○ Think of user rights and how they are implemented
● Train your people
● Get external help, if you do not know how to proceed

19. You Need to Know Where You Stand
● You need to understand GDPR and its effects to your organisation
● You must understand how data flows in your systems
○ Where, what and why data is stored
○ Check whether data is flowing out of EU or to another controller
● You must have defined and followed procedures for handling personal data
○ These are typically mostly non-existent in start-ups
● You need to have written contracts with all your partners related to personal
data
● You need to be moving now and be compliant by May 25th, 2018
○ There might be some leeway, but I would not count on it
● And if you do nothing, you are just asking for troubles

20. Our Proposal
● Exove has partnered with Bird & Bird to tackle GDPR challenges within
big and small organisations
● Together, we are able to handle legal, processual, and technical issues
simultaneously
The work is split into two parts:
○ Gap analysis - understanding your current position and the gap
towards the compliance by structured and tailored interviews,
workshop and gap analysis
○ Compliance program - a complete undertaking to ensure GDPR
compliance in your company

21. Gap Analysis
Description
Bird&Bird asks the juridical questions and
Exove focuses on ICT. The questionnaires
are sent typically to people responsible for
ICT, HR, legal and business
Bird&Bird and Exove study the results and
write an analysis of the situation
Bird&Bird and Exove organise a three hour
workshop with the key people of the client
OPTION: The report is gone through with
the client and the situation is assessed to
understand how the client will reach legally
and technically required compliant state.
Contents Results
Report with around ten point list of the
current situation and action points.
Offer for executing a GDPR compliance
program
IT Juridical
Analysis
Workshop
GDPR compliance program

22. Compliance Program
● Bird & Bird and Exove plan and execute a complete compliance
program
● Based on the gap analysis findings, industry of the client, and assessed
risks
● Includes changes to processes, documentation, technology, UX, and
contracts
● The depth of the work is to be agreed on case by case basis

23. Questions & Answers

24. Thank You!
EXOVE
Janne Kalliola
janne@exove.com
+358 40 558 1796