The General Data Protection Regulation (GDPR) enforces data protection rules across Europe starting May 25, 2018, applying to all businesses that handle EU residents' personal data. It introduces principles such as data minimization, purpose limitation, and accountability, alongside penalties for non-compliance that can reach up to €20 million or 4% of annual global turnover. Organizations must ensure proper handling of personal data and implement security measures to protect users' privacy.

1. Global Data Privacy
Regulation

2. Agenda
• GDPR
• GDPR Penalties
• What is Data Protection?
• Data Controller or Data Processer
• Principles
• GDPR Information Lifecycles

3. GDPR
• General Data Protection Regulation (GDPR), which becomes enforceable across Europe on 25 May
2018. This is an overhaul, modernization, and replacement of the existing framework, the Data
Protection Directive of 1995.
• The GDPR applies to all businesses with customers, or website/mobile app visitors who are from
the European Union (EU). This means that any organization in the world that works with EU
residents’ personal data in any manner has obligations to protect their users’ data and be GDPR
compliant.
Famous Quotes
“Think about your user data from the very start, and don’t let it be an afterthought.”
“Companies that have direct customer relationships, it’s all manageable, and on the upside you not
only reduce your compliance risk but benefit from the increased trust your customers will show in you
and the online world in general.”

4. GDPR Penalties
The GDPR (General Data Protection Regulation) sets a
maximum fine of €20 million (Euro) or 4% of annual
global turnover – whichever is greater – for
infringements

5. What is Data Protection?
• Data Protection refers to legislation that is intended to:
 protect the right to privacy of individuals (all of us)
 ensure that Personal Data is used appropriately by organisations that may have it (Data Controllers).
Personal data is any information
that can be used to identify a
natural person – “Data Subject”
• Name
• Date of Birth
• Address
• Phone Number
• Email address
• Membership Number
• IP Address
• Photographs etc
Some categories of information
are defined as Special Categories
of Personal Data and require more
stringent measures of protection.
These categories include:
• Religion
• Ethnicity
• Sexual orientation
• Trade union membership
• Medical information etc.
Although not listed as “special
categories of personal data”,
the following are also
awarded additional
protection:
• Criminal Data
• Children’s Data

6. Data Controller or Data Processor?
The GDPR states that a data controller “determines the purposes and means of the
processing” whereas a data processor acts only and always “on behalf of the data
controller”.

7. Principles
• Purpose limitation
Data can be collected and used only for those purposes that have been transmitted to the data subject and
about which the consent was received. Purpose must be “specified, explicit and legitimate”
• Data minimization
Personal data to be collected should be “adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed”.
• Accuracy
Personal data must be “accurate and where necessary kept up to date”. You must make sure that you do
not retain old and outdated contacts and ensure the erasure of inaccurate personal data without delay
• Storage limitations
Company would have to set the retention period for personal data you collect and justify that this period is
necessary for your specific objectives
• Integrity and confidentiality
The principle of integrity and confidentiality requires you to handle personal data “in a manner [ensuring]
appropriate security”, which include “protection against unlawful processing or accidental loss, destruction
or damage”.

8. Principles
• "Implement anonymization or pseudonymization into the systems.
• Data anonymization is a type of information sanitization whose intent is privacy
protection. It is the process of removing personally identifiable information from data
sets, so that the people whom the data describe remain anonymous.
• Pseudonymization is a data management and de-identification procedure by which
personally identifiable information fields within a data record are replaced by one or
more artificial identifiers, or pseudonyms."
• Accountability
Company is responsible for compliance with the principles of the GDPR. It requires a thorough
documentation of all policies that govern the collection and procession of data.

9. GDPR Information Life Cycle
Assess
Capture
StoreUse
Destroy
Data Protection by Design and by Default
Data Protection Impact Assessment (DPIA)
Documentation
Retention Period
Right to erasure
Portability
Third Party copies
Appropriate use
Consent
Manage Consent
Restricted
International Transfers
Safe and Secure
Restricted Access
Data Inventory
Subject Access Requests
Contracts with Data Processors
Data breaches
Data Minimisation
Privacy Notices
Privacy Rights
Obtain Consent

10. Thank You!