SlideShare a Scribd company logo
1 of 13
Download to read offline
A LITTLE BEE BOOK
“How it Works”
GDPR
This book belongs to:
A LITTLE BEE BOOK
“How it Works”
GDPR
Adapted from a variety of sources by Bob Yelland
This booklet is intended to provide friendly and
helpful advice and is not a definitive statement of law
BACK NEXT
4
After four years of debate, the General Data
Protection Regulation (GDPR) was ratified by the
European Union during April 2016 and has now
become law, although member states have a
two‑year period to implement it into national law.
This means that companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe.
Organisations outside the EU are subject to this
regulation when they collect data concerning any
EU citizen.
GDPR is designed to give individuals better control
over their personal data held by organisations, and
may lead many to appoint a Data Protection Officer.
BACK NEXT
6
Personal data is defined as any information relating
to a person who can be identified directly or
indirectly. This includes online identifiers, such as IP
addresses and cookies, if they are capable of being
linked back to the data subject.
Indirect information might include physical,
physiological, genetic, mental, economic, cultural or
social identities that can be linked back to a specific
individual.
There is no distinction between personal data about
an individual in their private, public or work roles –
all are covered by this regulation.
50% of global companies say they will struggle to
meet the rules set out by Europe unless they make
significant changes to how they operate.
BACK NEXT
8
There will be a substantial increase in fines for
organisations that do not comply with this new
regulation.
Penalties can be levied up to the greater of ten
million euros or two per cent of global gross
turnover for violations of record-keeping, security,
breach notification and privacy impact assessment
obligations.
These penalties are doubled to twenty million euros
or four per cent of turnover for violations related to
legal justification for processing, lack of consent,
data subject rights and cross-border data transfers.
BACK NEXT
10
Companies will be required to “implement
appropriate technical and organisational measures”
in relation to the nature, scope, context and
purposes of their handling and processing of
personal data. Data protection safeguards must
be designed into products and services from the
earliest stages of development.
These safeguards must be appropriate to the
degree of risk associated with the data held and
might include:
•	 Pseudonymisation and/or encryption of
personal data
•	 Ensuring the ongoing confidentiality, integrity,
availability and resilience of systems
•	 Restoring the availability of, and access to, data
in a timely manner following a physical or
technical incident
•	 Introducing a process for regularly testing,
assessing and evaluating the effectiveness of
these systems.
BACK NEXT
12
A key part of the regulation requires consent to be
given by the individual whose data is held. Consent
means “any freely given, specific, informed and
unambiguous indication of his or her wishes by which
the data subject, either by statement or by a clear
affirmative action, signifies agreement to personal
data relating to them being processed”.
Organisations will need to be able to show how and
when consent was obtained. This consent does not
need to be explicitly given, it can be implied by the
person’s relationship with the company. However,
the data obtained must be for specific, explicit and
legitimate purposes.
Individuals must be able to withdraw consent at any
time and have a right to be forgotten; if their data is
no longer required for the reasons for which it was
collected, it must be erased.
BACK NEXT
14
When companies obtain data from an individual,
some of the areas that must be made clear are:
•	 The identity and contact details of the organisation
•	 The purpose of acquiring the data and how it will
be used
•	 Whether the data will be transferred internationally
•	 The period for which the data will be stored
•	 The right to access, rectify or erase the data
•	 The right to withdraw consent at any time
•	 The right to lodge a complaint.
BACK NEXT
16
The regulations demand that individuals must
have full access to information on how their data is
processed and this information should be available in
a clear and understandable way.
Individuals can make requests, and these must be
executed “without undue delay and at the latest
within one month of receipt of the request”.
Where requests to access data are manifestly
unfounded or excessive then small and
medium‑sized enterprises will be able to charge a
fee for providing access.
BACK NEXT
18
Companies must report breaches of security
“leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or
otherwise processed”.
In the event of a personal-data breach, companies
must notify the appropriate supervisory authority
“without undue delay and, where feasible, not later
than 72 hours after having become aware of it” if the
breach is likely to “result in a risk for the rights and
freedoms of individuals”.
In March 2016, the UK Information Commissioner’s
Office (ICO) published Preparing for the General
Data Protection Regulation (GDPR) – 12 Steps to
Take Now. Some of these steps for organisations are
summarised next.
BACK NEXT
20
1.	Ensure key departments are aware that the law is
changing, and anticipate the impact of GDPR.
2.	Document what personal data is held, where it
came from and with whom it is shared.
3. Review current privacy notices, and make any
necessary changes.
4. Review procedures to address the new rights that
individuals will have.
5. Plan how to handle requests within the new time
frames, and provide the required information.
6. Identify and document the legal basis for each
type of data processing activity.
7.	Review how consent is sought, obtained
and recorded.
8.	Make sure procedures are in place to detect,
report and investigate data breaches.
9.	Designate a Data Protection Officer to take
responsibility for data protection compliance.
BACK NEXT
22
IBM can help companies prepare for this regulation.
Our products offer data transparency, mask
sensitive data, delete old/obsolete data, identify
sensitive/toxic data and locate the data that
matters, where that data is stored and how it is
being used.
IBM Information Integration  Governance (IIG)
provides agile data integration and governance
to build confidence in data, including exploration
and management of data lineage. IBM Information
Lifecycle Governance (ILG) provides insight
into unstructured data and also the tools and
methodology to syndicate, instrument and enforce
policies. IBM Security provides pervasive and
intelligent internal and external network defences,
incident response and security restrictions.
BACK NEXT
24
© Copyright IBM Corporation 2016. All Rights Reserved.
IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both.
Other product, company or service names may be trademarks or service marks of others.

More Related Content

What's hot

GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowPiwik PRO
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysiakhenghoe
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxRahulGarg294918
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988termsfeed
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
 

What's hot (20)

GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to Know
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
 
GDPR
GDPRGDPR
GDPR
 

Viewers also liked

The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationGhostery, Inc.
 
Oikeudet omiin sote-tietoihin 2016-12
Oikeudet omiin sote-tietoihin 2016-12Oikeudet omiin sote-tietoihin 2016-12
Oikeudet omiin sote-tietoihin 2016-12Olli Pitkänen
 
GDPR EU:n tietosuoja-asetus
GDPR EU:n tietosuoja-asetusGDPR EU:n tietosuoja-asetus
GDPR EU:n tietosuoja-asetusTiia Rantanen
 
Varautuminen EU-henkilötietosuoja-asetukseen
Varautuminen EU-henkilötietosuoja-asetukseenVarautuminen EU-henkilötietosuoja-asetukseen
Varautuminen EU-henkilötietosuoja-asetukseenTieto Corporation
 

Viewers also liked (7)

Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
 
Oikeudet omiin sote-tietoihin 2016-12
Oikeudet omiin sote-tietoihin 2016-12Oikeudet omiin sote-tietoihin 2016-12
Oikeudet omiin sote-tietoihin 2016-12
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
GDPR EU:n tietosuoja-asetus
GDPR EU:n tietosuoja-asetusGDPR EU:n tietosuoja-asetus
GDPR EU:n tietosuoja-asetus
 
Newell's Old Boys
Newell's Old BoysNewell's Old Boys
Newell's Old Boys
 
Varautuminen EU-henkilötietosuoja-asetukseen
Varautuminen EU-henkilötietosuoja-asetukseenVarautuminen EU-henkilötietosuoja-asetukseen
Varautuminen EU-henkilötietosuoja-asetukseen
 

Similar to GDPR for Dummies

An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
Ready for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital EconomyReady for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital EconomyRay ABOU
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 
Top 10 GDPR Requirements
Top 10 GDPR RequirementsTop 10 GDPR Requirements
Top 10 GDPR RequirementsRusty Stanberry
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
Data Privacy and consent management .. .
Data Privacy and consent management  ..  .Data Privacy and consent management  ..  .
Data Privacy and consent management .. .ClinosolIndia
 
Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Aaron Banham
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing   master slides 28 june-finalData protection & security breakfast briefing   master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRJenny Ferguson
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protectionInterlogica
 

Similar to GDPR for Dummies (20)

GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
Ready for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital EconomyReady for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital Economy
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
Top 10 GDPR Requirements
Top 10 GDPR RequirementsTop 10 GDPR Requirements
Top 10 GDPR Requirements
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
Data Privacy and consent management .. .
Data Privacy and consent management  ..  .Data Privacy and consent management  ..  .
Data Privacy and consent management .. .
 
Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection Regulation
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing   master slides 28 june-finalData protection & security breakfast briefing   master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protection
 
Privacy Needs to be Personal
Privacy Needs to be PersonalPrivacy Needs to be Personal
Privacy Needs to be Personal
 

More from Caroline Boscher

What is Websphere Commerce Managed Hosted?
What is Websphere Commerce Managed Hosted?What is Websphere Commerce Managed Hosted?
What is Websphere Commerce Managed Hosted?Caroline Boscher
 
The new era of supply chain begins now
The new era of supply chain begins nowThe new era of supply chain begins now
The new era of supply chain begins nowCaroline Boscher
 
The new era of marketing begins now
The new era of marketing begins nowThe new era of marketing begins now
The new era of marketing begins nowCaroline Boscher
 
All you need to know about Data Management
All you need to know about Data ManagementAll you need to know about Data Management
All you need to know about Data ManagementCaroline Boscher
 
L'e-Paiment a l'heure de l'expérience client
L'e-Paiment a l'heure de l'expérience clientL'e-Paiment a l'heure de l'expérience client
L'e-Paiment a l'heure de l'expérience clientCaroline Boscher
 
Les push notifications, mode d’emploi 2015
Les push notifications, mode d’emploi 2015Les push notifications, mode d’emploi 2015
Les push notifications, mode d’emploi 2015Caroline Boscher
 
Les données de vente B2B de Mapa et Spontex transitent dans le cloud avec ...
Les données de vente  B2B de Mapa et Spontex  transitent dans le cloud  avec ...Les données de vente  B2B de Mapa et Spontex  transitent dans le cloud  avec ...
Les données de vente B2B de Mapa et Spontex transitent dans le cloud avec ...Caroline Boscher
 

More from Caroline Boscher (8)

What is Websphere Commerce Managed Hosted?
What is Websphere Commerce Managed Hosted?What is Websphere Commerce Managed Hosted?
What is Websphere Commerce Managed Hosted?
 
YOU TO THE POWER OF IBM
YOU TO THE POWER OF IBMYOU TO THE POWER OF IBM
YOU TO THE POWER OF IBM
 
The new era of supply chain begins now
The new era of supply chain begins nowThe new era of supply chain begins now
The new era of supply chain begins now
 
The new era of marketing begins now
The new era of marketing begins nowThe new era of marketing begins now
The new era of marketing begins now
 
All you need to know about Data Management
All you need to know about Data ManagementAll you need to know about Data Management
All you need to know about Data Management
 
L'e-Paiment a l'heure de l'expérience client
L'e-Paiment a l'heure de l'expérience clientL'e-Paiment a l'heure de l'expérience client
L'e-Paiment a l'heure de l'expérience client
 
Les push notifications, mode d’emploi 2015
Les push notifications, mode d’emploi 2015Les push notifications, mode d’emploi 2015
Les push notifications, mode d’emploi 2015
 
Les données de vente B2B de Mapa et Spontex transitent dans le cloud avec ...
Les données de vente  B2B de Mapa et Spontex  transitent dans le cloud  avec ...Les données de vente  B2B de Mapa et Spontex  transitent dans le cloud  avec ...
Les données de vente B2B de Mapa et Spontex transitent dans le cloud avec ...
 

Recently uploaded

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 

Recently uploaded (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 

GDPR for Dummies

  • 1. A LITTLE BEE BOOK “How it Works” GDPR
  • 2. This book belongs to: A LITTLE BEE BOOK “How it Works” GDPR Adapted from a variety of sources by Bob Yelland This booklet is intended to provide friendly and helpful advice and is not a definitive statement of law BACK NEXT
  • 3. 4 After four years of debate, the General Data Protection Regulation (GDPR) was ratified by the European Union during April 2016 and has now become law, although member states have a two‑year period to implement it into national law. This means that companies will be expected to be fully compliant from 25 May 2018. The regulation is intended to establish one single set of data protection rules across Europe. Organisations outside the EU are subject to this regulation when they collect data concerning any EU citizen. GDPR is designed to give individuals better control over their personal data held by organisations, and may lead many to appoint a Data Protection Officer. BACK NEXT
  • 4. 6 Personal data is defined as any information relating to a person who can be identified directly or indirectly. This includes online identifiers, such as IP addresses and cookies, if they are capable of being linked back to the data subject. Indirect information might include physical, physiological, genetic, mental, economic, cultural or social identities that can be linked back to a specific individual. There is no distinction between personal data about an individual in their private, public or work roles – all are covered by this regulation. 50% of global companies say they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate. BACK NEXT
  • 5. 8 There will be a substantial increase in fines for organisations that do not comply with this new regulation. Penalties can be levied up to the greater of ten million euros or two per cent of global gross turnover for violations of record-keeping, security, breach notification and privacy impact assessment obligations. These penalties are doubled to twenty million euros or four per cent of turnover for violations related to legal justification for processing, lack of consent, data subject rights and cross-border data transfers. BACK NEXT
  • 6. 10 Companies will be required to “implement appropriate technical and organisational measures” in relation to the nature, scope, context and purposes of their handling and processing of personal data. Data protection safeguards must be designed into products and services from the earliest stages of development. These safeguards must be appropriate to the degree of risk associated with the data held and might include: • Pseudonymisation and/or encryption of personal data • Ensuring the ongoing confidentiality, integrity, availability and resilience of systems • Restoring the availability of, and access to, data in a timely manner following a physical or technical incident • Introducing a process for regularly testing, assessing and evaluating the effectiveness of these systems. BACK NEXT
  • 7. 12 A key part of the regulation requires consent to be given by the individual whose data is held. Consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. Organisations will need to be able to show how and when consent was obtained. This consent does not need to be explicitly given, it can be implied by the person’s relationship with the company. However, the data obtained must be for specific, explicit and legitimate purposes. Individuals must be able to withdraw consent at any time and have a right to be forgotten; if their data is no longer required for the reasons for which it was collected, it must be erased. BACK NEXT
  • 8. 14 When companies obtain data from an individual, some of the areas that must be made clear are: • The identity and contact details of the organisation • The purpose of acquiring the data and how it will be used • Whether the data will be transferred internationally • The period for which the data will be stored • The right to access, rectify or erase the data • The right to withdraw consent at any time • The right to lodge a complaint. BACK NEXT
  • 9. 16 The regulations demand that individuals must have full access to information on how their data is processed and this information should be available in a clear and understandable way. Individuals can make requests, and these must be executed “without undue delay and at the latest within one month of receipt of the request”. Where requests to access data are manifestly unfounded or excessive then small and medium‑sized enterprises will be able to charge a fee for providing access. BACK NEXT
  • 10. 18 Companies must report breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. In the event of a personal-data breach, companies must notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it” if the breach is likely to “result in a risk for the rights and freedoms of individuals”. In March 2016, the UK Information Commissioner’s Office (ICO) published Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now. Some of these steps for organisations are summarised next. BACK NEXT
  • 11. 20 1. Ensure key departments are aware that the law is changing, and anticipate the impact of GDPR. 2. Document what personal data is held, where it came from and with whom it is shared. 3. Review current privacy notices, and make any necessary changes. 4. Review procedures to address the new rights that individuals will have. 5. Plan how to handle requests within the new time frames, and provide the required information. 6. Identify and document the legal basis for each type of data processing activity. 7. Review how consent is sought, obtained and recorded. 8. Make sure procedures are in place to detect, report and investigate data breaches. 9. Designate a Data Protection Officer to take responsibility for data protection compliance. BACK NEXT
  • 12. 22 IBM can help companies prepare for this regulation. Our products offer data transparency, mask sensitive data, delete old/obsolete data, identify sensitive/toxic data and locate the data that matters, where that data is stored and how it is being used. IBM Information Integration Governance (IIG) provides agile data integration and governance to build confidence in data, including exploration and management of data lineage. IBM Information Lifecycle Governance (ILG) provides insight into unstructured data and also the tools and methodology to syndicate, instrument and enforce policies. IBM Security provides pervasive and intelligent internal and external network defences, incident response and security restrictions. BACK NEXT
  • 13. 24 © Copyright IBM Corporation 2016. All Rights Reserved. IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Other product, company or service names may be trademarks or service marks of others.