GDPR

EXPLORING THE IMPACT ON ORGANISATIONS & FINANCIAL INSTITUTIONS
GENERAL DATA PROTECTION REGULATION (GDPR)

 The GDPR protects natural persons with regard to the processing of personal data &
gives citizens more control over their personal data.
 GDPR applies to all companies processing & holding personal data of data subjects
residing in the EU, regardless of the company’s location.
 Organizations must keep record of and monitor personal data processing activities.
 As data controller, organizations must keep record of & monitor personal data
processing activities. This includes personal data handled within the organization, but
also by third parties - so called data processors.
 Data processors can be anything from Software-as-a-Service providers to embedded
third party services, tracking and profiling visitors on the organization’s website.
 Organizations with more than 250 employees and or companies processing sensitive
personal data at a large scale to employ or train a data protection officer (DPO).
 The fines for violating the GDPR norms can be significant and the maximum penalty is
4% of annual turnover or €20 million which ever is higher.
 In relation to Brexit, the UK Government plans to implement equivalent legislation
that will largely follow the GDPR.
NATURAL
PERSONS
DATA
CONTROLLERS
GDPR
DATA
PROCESSORS

GDPR
PENALITY
TERRITORIAL
SCOPE
RETRACEABILITY
DATA SUBJECT
RIGHTS
DATA BREACH
PRIVACY
AGREEMENT
DATA
INVENTORY
DATA
PROTECTION
OFFICER
GDPR DESCRIPTOR’S
 NATURAL PERSON
 PROTECTION OF PRIVACY
 CROSS-FRONTIER DATA FLOW
 DATA-PROCESSING LAW
 ACCESS TO INFORMATION
 DATA PROTECTION
 DISCLOSURE OF INFORMATION
 PERSONAL DATA
 FREEDOM, SECURITY & JUSTICE

System
Analysis
GAP
Identification
System
Transformation
Data Inventory
Management
Privacy
Design
Third Party
Requirements
GDPR
Compliant
GDPR ACTION PLAN
• Study Business Insight
• Organisation and Accountability
• Develop Strategy & Roadmap
• Data Breach Handling Procedure
• Data Subject Rights procedure
• Data Protection Officer
• Data Processing Agreements
• Privacy Risk Assessment
• Risk mitigation
• Risk Acceptance
• Employee training and awareness
• Third Party Agreements

RIGHT OF DATA SUBJECT
 Breach Notification – GDPR compliant organizations must notify end users of any data
breaches within 72 hours of first coming aware of the situation.
 Right to Access – Compliant companies must provide the personal information stored about
each end user and information regarding how the data is being used and where it is stored
on request by the data subject.
 Right to be Forgotten: This requirement entitles a data subject to have his/her personal data
erased and have it no longer disseminated to third parties or exposed to third party
processing.
 Data Portability – This rule requires GDPR compliant companies to provide end user data in a
commonly used and machine readable format” on-demand allowing users to take their data
to another data user.
 Privacy by Design – Privacy by Design requires the inclusion of data protection at the onset
of system design versus being added later.
 Data Protection Officers – DPOs are mandatory for those companies whose core activities
include systematic monitoring of customer data on a large scale or hosting data relating to
criminal convictions and offenses.
BREACH NOTIFICATION
RIGHT TO ACCESS
RIGHT TO BE FORGOTTEN
DATA PROTABILITY
PRIVACY BY DESIGN
DATA PROTECTION OFFICER

RIGHT OF DATA SUBJECT
 The controller shall take appropriate measures to provide any information to the
data subject in a concise, transparent, intelligible and easily accessible form, using
clear and plain language. (Article 12).
 The controller to provide the data subject with the purpose for which the data are
collected & time period for which the data shall be stored. (Article 13).
 Data subjects will have the right to obtain a copy of the personal data you hold
about them & to an in-depth description of how it is being processed (Article 15).
 They have the right to have inaccurate personal data corrected (Article 16).
 They have the right to have inaccurate personal data or their data deleted (Article
17).
 The data subject shall have the right restrict the controller from processing their
personal data, except for exercise or defense of legal claims or for the protection
of the rights of another natural or legal person or for reasons of important public
interest of the Union or of a Member State ( Article 18).
CHAPTER III - Rights of
the data subject - Article
12 to 22 & 34
CHAPTER VIII - Remedies,
liability and penalties -
Article 77, 78, 79 & 82

RULES FOR BUSINESSES
 Single set of EU-wide rules
 Data protection officer
 EU rules for non-EU companies
 Data protection by design and by default
 Data protection safeguards
 Pseudonymisation & Encryption
 Data protection impact assessment
 Conditions for Data Subject consent
 Data Breach Notification to Data Subject
 Data breach Notification to the supervisory authority
 Acting as Representatives of controllers
 Record-keeping of processing activities
 Exemptions - Processing of data
 Penalty for non-compliance
RIGHTS OF DATA
SUBJECT
DATA
INVENTORY
EU & NON EU
ORGANISATIONS
SUPERVISORY
AUTHORITY
GDPR

GENERAL DATA PROTECTION REGULATION AND FINANCIAL SECTOR
 The financial sector is one of the more highly regulated sector worldwide, but
many Banks & Credit Institutions have nonetheless been caught off guard by the
complexity of the new EU General Data Protection Regulation (GDPR).
 Organizations risk regulator fines, litigation costs & contract opportunities. The
biggest risk is likely to be in the events of outsourcing of work to third parties,
Organizations within EU as well as Organizations who deal with EU citizens
personal data have to check their third party contracts are GDPR compliant.
 They should also demonstrate to the regulator that:
I. They know where your data resides,
II. Have breach handling process is in place,
III. They respond to the rights of the individual
 This Regulation, takes effect on 25 May 2018, revamps the way organizations knob
personal data. It includes countless requirements, which Banks & Financial
Institutions should take as soon as possible, comply with the requirements of
GDPR.
GDPR
PERSONAL DATA DATA PROTECTION COMPLIANCE
FINANCIAL
INSTITUTIONS

ROLE OF DATA PROTECTION OFFICER (DPO)
 A data protection officer may be a staff member of the controller or processor, or
fulfil the tasks on the basis of a service contract.
 Be the point of contact for data subjects and for cooperating and consulting with
national supervisory authorities, such as the Information Commissioner’s Office.
 Be consulted and provide advice during Data Protection Impact Assessments
 Ensure all future developments and system implementations incorporated fulfill the
principles of data.
 Assist in creating a platform and environment capable of continuously
demonstrating control of personal data
 Have contingency plan (including containment, rectification and communications),
to safe guard data and process to inform data subjects, if something go wrong.
 A data protection officer shall be bound by secrecy or confidentiality concerning the
performance of his or her tasks, in accordance with Union or Member State law.
 A data protection officer shall directly report to the highest management level.
DATA INVENTORY
DATA PROTECTION
OFFICER

GDPR

More Related Content

What's hot

Similar to GDPR

Recently uploaded

GDPR