SlideShare a Scribd company logo
General Data Protection
Regulations: Key Articles Overview
Craig Clark Information Security & Compliance Manager
Topics
• What is the GDPR
• European Law Landscape
• Key dates
• GDPR Structure
• What is Personally Identifiable Information?
• Territorial Scope - Articles 1-3
• Remedies, Liabilities and Penalties - Articles 79, 82 & 83
• Data Collection Principles - Article 5
• Lawfulness Articles - 5 & 6
• Consent - Articles 7-9
• Transparency - Articles 12-18
• Data Security - Article 32
• Data Breach Notification - Articles 33 & 34
What is the GDPR• A complete overhaul of data protection regulation with extensive updates of
what can be considered identifiable information
• Applies across all member states of the European Union
• Applies to all organisations processing the data of EU data subjects –wherever
the organisation is geographically based
• Specific and significant rights for data subjects to seek compensation, rights to
erasure and accurate representation
• Compensation can be sought against organisations and individuals employed by
them
• Fines of up €20,000,00 or 4% global annual turnover
• Significant reduction in that amount based on the implementation of technical,
or organisational controls implemented
European Law Landscape
European Legislation can be separated into two main branches:
Directives
• Require individual implementation in each Member State (Each State can
implement rules in their own way)
• Implemented by the creation of national laws approved by the parliaments of
each Member State
• European Directive 95/46/EC (The current Data Protection Act) is a Directive
• Sets out a goal that a member state must achieve –room for tailoring
• 28 different variations among Member States
European Law Landscape
Regulations:
• Immediately applicable in each Member State in a uniform manner
• Binding Legislative Act
• Derogations allow for fine tuning, examples include the age of a child, and the definition
of large scale data processing
• EUGDPR is a Regulation
• Regulations are not negotiable by member states
• Regulations may apply to countries outside the EU if they affect EU subjects (people who
are originally from the EU)
Key Dates for GDPR
4 May 2016, the official text of the Regulation was published
in the EU Official Journal in all the official languages.
The Regulation entered into force on 24 May 2016, and
applies from 00:01 25 May 2018.
As it stands the United Kingdom will still be considered a
Member State at the time of inception and will therefore be
subject to the requirements of the EUGDPR
This Regulation shall be binding in its entirety and directly
applicable in all Member States.
GDPR Structure
European Data Protection Board
Lead Supervising Authority
(Information Commissioners Office)
Data Processor
Data Controller
(Organisation)
Data Subject
(Individuals)
3rd Countries 3rd Party
GDPR Structure
• The European Data Protection Board will issue guidance for
controllers and processors
• They will facilitate the use of Data Protection Impact
Assessments
• The ICO will oversee both Data Controllers and Data
Processors
• Breaches and Notifications will be made to the ICO
• 3rd Countries – countries to which data is transferred
• At the centre of the GDPR is the protection of Personally
Identifiable Information
Personally Identifiable Information
Can be defined as Information that can be used to identify a living individual.
Examples include (but are not limited to):
First & last name (combined) Home address Date/place of birth
Photos and videos Username/password National insurance/Social security
Number
Bank account details Credit card details Passport number
Medical records Financial records Non work related correspondence
Personal email addresses/emails Biometric data Cookies
MAC Address IP Address
High Risk Personal Information
Other information, while not individually useful as identifiable has been defined
as high risk and as such breaches involving high risk data should be notified.
High Risk data includes
• Racial and Ethnic Origin Trade Union Membership
• Religion Political Opinion
• Healthcare Data Genetic Data
• Sexual Orientation Location Data
• Disability Information Biometric Data
• Mental Health Status
• Gender
Territorial Scope
Articles 1-3 cover the applicability of the Regulation
• Data Subjects = living individuals aka natural persons. They have
rights associated with:
- The protection of personal data
- The protection of the processing of personal data
- Unrestricted movement of personal data throughout the
European Union (with consent)
• The scope of the GDPR includes personal data that is wholly or
partly by automated means and personal data that is part of a filing
system (or is intended to be)
• Any organisation that processes the data of EU citizens, are subject
to the Regulation
Remedies, Liabilities & Penalties
• Enforcement powers of ICO will be significantly enhanced with the
issuing of measures, notices and monetary fines intended to be
effective, proportionate and dissuasive
• Fines can be up to €10,000,000 for enterprise or 2% total
worldwide turnover for the preceding year, whichever is greater
• Fines are calculated based on several factors:
- Controls already in place
- Nature, gravity, extent and duration of infringement
- The types of personal data involved in the infringement
- Actions taken by the controller or processor to mitigate, negate or notify
affected parties (including the ICO) of a breach
Remedies, Liabilities & Penalties
• Data Subjects have the right to effective judicial remedy
against a controller or processor when the rights of the
data subject has been infringed as a result of processing
• Action can be sought either:
- In the courts of a Member state where the
processor has an establishment
- In the courts of a Member state where the subject
habitually resides
- Against a controller for the inadequate control of
data or a processor for processing
Data Collection Principles
The GDPR sets out 7 key principles for the collection of data:
• Data must be processed lawfully fairly and in a transparent manner
• Data must only be collected for specified explicit and legitimate purposes
• Collected data must be adequate, relevant and limited to what is
necessary
• Collected data must be accurate, and where necessary kept up to date
• Data must be retained only as long as necessary
• Data must be processed securely
• There must be accountably in all processing activity
Lawfulness of ProcessingThe Regulation introduces the concept of Lawfulness and places specific
obligations on the controller and processor:
• Data must be secured against accidental loss, damage or destruction
• Processing must be lawful which means inter alia:
- Data subject must provide explicit consent for processing for each service
- The processing to be performed is necessary for the performance of a
contract
- processing is necessary for compliance with a legal obligation
• Controllers have one month to process Subject Access Requests – no charges
(unless vexatious)
Lawfulness of ProcessingThe regulation seeks to clearly distinguish between the obligations placed upon
controllers and processors.
• Processors and Controllers must now have a legally binding contract
• Controllers responsible for ensuring processors comply with contractual terms
for processing information
• Processors, like controllers, are required to implement appropriate security
measures
• The lead processor is required to reflect the same contractual obligations it has
with the controller in a contract with any sub-processors and remains liable to
the controller for the actions or inactions of any sub-processor.
Consent• Consent must be clear and affirmative – no action on behalf of the data subject
no longer implies consent
• Controllers must be able to demonstrate that consent was given in a clear,
intelligible and easily accessible way or else it is not binding
• It must be possible for data subjects to withdraw consent at any time and must
be as easy to withdraw as it is to give. This has significant implications on how
data is processed
• Special conditions for children under the age of 16
• Separate, explicit consent must be given for high risk personal data along with
an outline of what the controller intends to do with it in terms of processing
(except in protecting the public interest)
• All information should be secured
TransparencyNew obligations placed on controllers on how they interact with data subjects
• Any communications need to be concise, transparent and intelligible
• Controllers must provide clear unambiguous information about how and why a
subjects’ data is collected and processed
• Controllers have an obligation to proactively provide information about
individuals within the organisation including the Data Controller and the Data
Protection Officer and the specific rights a subject has
• If data has been obtained indirectly (e.g. a mailing list), Controllers must take
specific steps to notify affected subjects
• All data subjects have rights to access their data including the right of erasure,
the right of transfer and the right of accuracy
Data SecurityA requirement on controllers and processors to implement a level of security
appropriate to the risk. Techniques:
• Pseudonymisation - Separation of data from direct identifiers so that linkage to
an identity is not possible without additional information that is held
separately.
• Encryption - Conversion of electronic data into another form, called ciphertext,
which cannot be easily understood by anyone except authorised parties.
• Minimisation - Reducing the data collection to the minimum required to deliver
the service agreed by the data subject
• Penetration Testing - Agreeing a process for regularly testing assessing and
evaluating the effectiveness of security measures
• Ensuring ongoing application of confidentiality, integrity and availability
controls
Data Breach NotificationThe GDPR stipulates specific requirements for breach notification
The legislation defines a breach as:
“a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data transmitted,
stored or otherwise processed.”
• Processors must notify Controllers of any breach
• Controllers must notify the Lead Supervisory Authority of high risk breaches
without undue delay and where feasible not later than 72 hours after
becoming aware of it
• How and when a notification is made has a significant impact on mitigation
from the Lead Supervisory Authority
Notification Requirements• Notification to the ICO without undue delay (within 72 Hours)
• Description of the nature of breach
• Specify categories of data subjects (gender, adult or child, patient, student etc.)
• The number of data subjects affected
• The number of personal records breached
• The likely implications of the breach
• Details of Data Protection Officer
• The measures taken to mitigate
• Currently no requirement to notify if the breach is not considered high risk and
the breach is unlikely to impact the rights and freedoms of data subject
(guidance on what constitutes high risk to be confirmed)
Notification RequirementsWhen a high risk breach has occurred, the data controller has specific obligations
regarding communication to affected data subjects
• Communication can be mandated by the supervisory authority
• Communication must be carried out without undue delay
• Communication must be in clear, plain language
• Exceptions if appropriate measures have been implemented to minimise risk
• Exceptions if communication would involve disproportionate effort compared
to risk
Why this is Important
Between January – March 2016 the ICO was notified of 448 significant data
breaches. Now more than ever before, the ethos needs to be that we will be
breached eventually, and we need to prepare for that eventuality.

More Related Content

What's hot

GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
Tinuiti
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR infographic
GDPR infographicGDPR infographic
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
Amiit Keshav Naik
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 
Privacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldPrivacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital World
Arab Federation for Digital Economy
 
Data protection
Data protectionData protection
Data protection
Lewis Silkin
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
Andrew Sharpe
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
Home
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
sp_krishna
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
CIO Edge
 

What's hot (20)

GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by Qualsys
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
Privacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldPrivacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital World
 
Data protection
Data protectionData protection
Data protection
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
 

Similar to GDPR: Key Article Overview

Public sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, ExeterPublic sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, Exeter
Browne Jacobson LLP
 
GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key Changes
Craig Clark ITIL, CIS LI,EU GDPR P
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity Architects
WSO2
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
 Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...
m-hance
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
MyComplianceOffice
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
Gdpr demystified - making sense of the regulation
Gdpr demystified  - making sense of the regulationGdpr demystified  - making sense of the regulation
Gdpr demystified - making sense of the regulation
James Mulhern
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
GrittyCC
 
Domain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPRDomain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPR
BartLieben
 
Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4
Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4
Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4
Adestra
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
IT Governance Ltd
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPR
ImogenRutherford
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
Parsons Behle & Latimer
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
Tim Gough
 
Dataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxDataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptx
Marco Gioanola
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
CloudWATCH Consortium
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 

Similar to GDPR: Key Article Overview (20)

Public sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, ExeterPublic sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, Exeter
 
GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key Changes
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity Architects
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
 Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
Gdpr demystified - making sense of the regulation
Gdpr demystified  - making sense of the regulationGdpr demystified  - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Domain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPRDomain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPR
 
Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4
Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4
Key marketing impacts of the GDPR - Rosemary Smith, Director, Opt-4
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPR
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
 
Dataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxDataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptx
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 

Recently uploaded

Comparative analysis of ipc and bharitye Naya sahinta
Comparative analysis of ipc and bharitye Naya sahintaComparative analysis of ipc and bharitye Naya sahinta
Comparative analysis of ipc and bharitye Naya sahinta
adi2292
 
一比一原版新加坡国立大学毕业证(本硕)nus学位证书如何办理
一比一原版新加坡国立大学毕业证(本硕)nus学位证书如何办理一比一原版新加坡国立大学毕业证(本硕)nus学位证书如何办理
一比一原版新加坡国立大学毕业证(本硕)nus学位证书如何办理
ucoux1
 
United States vs. Donald Trump Speaking Indictment
United States vs. Donald Trump Speaking IndictmentUnited States vs. Donald Trump Speaking Indictment
United States vs. Donald Trump Speaking Indictment
Todd Spodek
 
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
ymefneb
 
PoliticalScience_SrSec_2023-24.pdfffffff
PoliticalScience_SrSec_2023-24.pdfffffffPoliticalScience_SrSec_2023-24.pdfffffff
PoliticalScience_SrSec_2023-24.pdfffffff
RajatVerma652178
 
Capital Punishment by Saif Javed (LLM)ppt.pptx
Capital Punishment by Saif Javed (LLM)ppt.pptxCapital Punishment by Saif Javed (LLM)ppt.pptx
Capital Punishment by Saif Javed (LLM)ppt.pptx
OmGod1
 
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
ubype
 
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
abondo3
 
Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...
Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...
Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...
AHRP Law Firm
 
A Critical Study of ICC Prosecutor's Move on GAZA War
A Critical Study of ICC Prosecutor's Move on GAZA WarA Critical Study of ICC Prosecutor's Move on GAZA War
A Critical Study of ICC Prosecutor's Move on GAZA War
Nilendra Kumar
 
一比一原版牛津布鲁克斯大学毕业证(牛布毕业证)如何办理
一比一原版牛津布鲁克斯大学毕业证(牛布毕业证)如何办理一比一原版牛津布鲁克斯大学毕业证(牛布毕业证)如何办理
一比一原版牛津布鲁克斯大学毕业证(牛布毕业证)如何办理
meboh
 
一比一原版英国桑德兰大学毕业证(uos学位证)如何办理
一比一原版英国桑德兰大学毕业证(uos学位证)如何办理一比一原版英国桑德兰大学毕业证(uos学位证)如何办理
一比一原版英国桑德兰大学毕业证(uos学位证)如何办理
zv943dhb
 
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
ayvace
 
Legal Research and Legal Methodology-1.pptx
Legal Research and Legal Methodology-1.pptxLegal Research and Legal Methodology-1.pptx
Legal Research and Legal Methodology-1.pptx
varalakshmillm
 
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
woywevt
 
一比一原版(monash毕业证书)莫纳什大学毕业证如何办理
一比一原版(monash毕业证书)莫纳什大学毕业证如何办理一比一原版(monash毕业证书)莫纳什大学毕业证如何办理
一比一原版(monash毕业证书)莫纳什大学毕业证如何办理
bzofm
 
THE CONCEPT OF RIGHT TO DEFAULT BAIL.pptx
THE CONCEPT OF RIGHT TO DEFAULT BAIL.pptxTHE CONCEPT OF RIGHT TO DEFAULT BAIL.pptx
THE CONCEPT OF RIGHT TO DEFAULT BAIL.pptx
Namrata Chakraborty
 
Asian legal busiess india you are invited
Asian legal busiess india you are invitedAsian legal busiess india you are invited
Asian legal busiess india you are invited
digitalrashi12
 
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
onduyv
 
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
aypxuyw
 

Recently uploaded (20)

Comparative analysis of ipc and bharitye Naya sahinta
Comparative analysis of ipc and bharitye Naya sahintaComparative analysis of ipc and bharitye Naya sahinta
Comparative analysis of ipc and bharitye Naya sahinta
 
一比一原版新加坡国立大学毕业证(本硕)nus学位证书如何办理
一比一原版新加坡国立大学毕业证(本硕)nus学位证书如何办理一比一原版新加坡国立大学毕业证(本硕)nus学位证书如何办理
一比一原版新加坡国立大学毕业证(本硕)nus学位证书如何办理
 
United States vs. Donald Trump Speaking Indictment
United States vs. Donald Trump Speaking IndictmentUnited States vs. Donald Trump Speaking Indictment
United States vs. Donald Trump Speaking Indictment
 
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
 
PoliticalScience_SrSec_2023-24.pdfffffff
PoliticalScience_SrSec_2023-24.pdfffffffPoliticalScience_SrSec_2023-24.pdfffffff
PoliticalScience_SrSec_2023-24.pdfffffff
 
Capital Punishment by Saif Javed (LLM)ppt.pptx
Capital Punishment by Saif Javed (LLM)ppt.pptxCapital Punishment by Saif Javed (LLM)ppt.pptx
Capital Punishment by Saif Javed (LLM)ppt.pptx
 
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
 
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
 
Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...
Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...
Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...
 
A Critical Study of ICC Prosecutor's Move on GAZA War
A Critical Study of ICC Prosecutor's Move on GAZA WarA Critical Study of ICC Prosecutor's Move on GAZA War
A Critical Study of ICC Prosecutor's Move on GAZA War
 
一比一原版牛津布鲁克斯大学毕业证(牛布毕业证)如何办理
一比一原版牛津布鲁克斯大学毕业证(牛布毕业证)如何办理一比一原版牛津布鲁克斯大学毕业证(牛布毕业证)如何办理
一比一原版牛津布鲁克斯大学毕业证(牛布毕业证)如何办理
 
一比一原版英国桑德兰大学毕业证(uos学位证)如何办理
一比一原版英国桑德兰大学毕业证(uos学位证)如何办理一比一原版英国桑德兰大学毕业证(uos学位证)如何办理
一比一原版英国桑德兰大学毕业证(uos学位证)如何办理
 
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
 
Legal Research and Legal Methodology-1.pptx
Legal Research and Legal Methodology-1.pptxLegal Research and Legal Methodology-1.pptx
Legal Research and Legal Methodology-1.pptx
 
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
 
一比一原版(monash毕业证书)莫纳什大学毕业证如何办理
一比一原版(monash毕业证书)莫纳什大学毕业证如何办理一比一原版(monash毕业证书)莫纳什大学毕业证如何办理
一比一原版(monash毕业证书)莫纳什大学毕业证如何办理
 
THE CONCEPT OF RIGHT TO DEFAULT BAIL.pptx
THE CONCEPT OF RIGHT TO DEFAULT BAIL.pptxTHE CONCEPT OF RIGHT TO DEFAULT BAIL.pptx
THE CONCEPT OF RIGHT TO DEFAULT BAIL.pptx
 
Asian legal busiess india you are invited
Asian legal busiess india you are invitedAsian legal busiess india you are invited
Asian legal busiess india you are invited
 
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
 
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
 

GDPR: Key Article Overview

  • 1. General Data Protection Regulations: Key Articles Overview Craig Clark Information Security & Compliance Manager
  • 2. Topics • What is the GDPR • European Law Landscape • Key dates • GDPR Structure • What is Personally Identifiable Information? • Territorial Scope - Articles 1-3 • Remedies, Liabilities and Penalties - Articles 79, 82 & 83 • Data Collection Principles - Article 5 • Lawfulness Articles - 5 & 6 • Consent - Articles 7-9 • Transparency - Articles 12-18 • Data Security - Article 32 • Data Breach Notification - Articles 33 & 34
  • 3. What is the GDPR• A complete overhaul of data protection regulation with extensive updates of what can be considered identifiable information • Applies across all member states of the European Union • Applies to all organisations processing the data of EU data subjects –wherever the organisation is geographically based • Specific and significant rights for data subjects to seek compensation, rights to erasure and accurate representation • Compensation can be sought against organisations and individuals employed by them • Fines of up €20,000,00 or 4% global annual turnover • Significant reduction in that amount based on the implementation of technical, or organisational controls implemented
  • 4. European Law Landscape European Legislation can be separated into two main branches: Directives • Require individual implementation in each Member State (Each State can implement rules in their own way) • Implemented by the creation of national laws approved by the parliaments of each Member State • European Directive 95/46/EC (The current Data Protection Act) is a Directive • Sets out a goal that a member state must achieve –room for tailoring • 28 different variations among Member States
  • 5. European Law Landscape Regulations: • Immediately applicable in each Member State in a uniform manner • Binding Legislative Act • Derogations allow for fine tuning, examples include the age of a child, and the definition of large scale data processing • EUGDPR is a Regulation • Regulations are not negotiable by member states • Regulations may apply to countries outside the EU if they affect EU subjects (people who are originally from the EU)
  • 6. Key Dates for GDPR 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. The Regulation entered into force on 24 May 2016, and applies from 00:01 25 May 2018. As it stands the United Kingdom will still be considered a Member State at the time of inception and will therefore be subject to the requirements of the EUGDPR This Regulation shall be binding in its entirety and directly applicable in all Member States.
  • 7. GDPR Structure European Data Protection Board Lead Supervising Authority (Information Commissioners Office) Data Processor Data Controller (Organisation) Data Subject (Individuals) 3rd Countries 3rd Party
  • 8. GDPR Structure • The European Data Protection Board will issue guidance for controllers and processors • They will facilitate the use of Data Protection Impact Assessments • The ICO will oversee both Data Controllers and Data Processors • Breaches and Notifications will be made to the ICO • 3rd Countries – countries to which data is transferred • At the centre of the GDPR is the protection of Personally Identifiable Information
  • 9. Personally Identifiable Information Can be defined as Information that can be used to identify a living individual. Examples include (but are not limited to): First & last name (combined) Home address Date/place of birth Photos and videos Username/password National insurance/Social security Number Bank account details Credit card details Passport number Medical records Financial records Non work related correspondence Personal email addresses/emails Biometric data Cookies MAC Address IP Address
  • 10. High Risk Personal Information Other information, while not individually useful as identifiable has been defined as high risk and as such breaches involving high risk data should be notified. High Risk data includes • Racial and Ethnic Origin Trade Union Membership • Religion Political Opinion • Healthcare Data Genetic Data • Sexual Orientation Location Data • Disability Information Biometric Data • Mental Health Status • Gender
  • 11. Territorial Scope Articles 1-3 cover the applicability of the Regulation • Data Subjects = living individuals aka natural persons. They have rights associated with: - The protection of personal data - The protection of the processing of personal data - Unrestricted movement of personal data throughout the European Union (with consent) • The scope of the GDPR includes personal data that is wholly or partly by automated means and personal data that is part of a filing system (or is intended to be) • Any organisation that processes the data of EU citizens, are subject to the Regulation
  • 12. Remedies, Liabilities & Penalties • Enforcement powers of ICO will be significantly enhanced with the issuing of measures, notices and monetary fines intended to be effective, proportionate and dissuasive • Fines can be up to €10,000,000 for enterprise or 2% total worldwide turnover for the preceding year, whichever is greater • Fines are calculated based on several factors: - Controls already in place - Nature, gravity, extent and duration of infringement - The types of personal data involved in the infringement - Actions taken by the controller or processor to mitigate, negate or notify affected parties (including the ICO) of a breach
  • 13. Remedies, Liabilities & Penalties • Data Subjects have the right to effective judicial remedy against a controller or processor when the rights of the data subject has been infringed as a result of processing • Action can be sought either: - In the courts of a Member state where the processor has an establishment - In the courts of a Member state where the subject habitually resides - Against a controller for the inadequate control of data or a processor for processing
  • 14. Data Collection Principles The GDPR sets out 7 key principles for the collection of data: • Data must be processed lawfully fairly and in a transparent manner • Data must only be collected for specified explicit and legitimate purposes • Collected data must be adequate, relevant and limited to what is necessary • Collected data must be accurate, and where necessary kept up to date • Data must be retained only as long as necessary • Data must be processed securely • There must be accountably in all processing activity
  • 15. Lawfulness of ProcessingThe Regulation introduces the concept of Lawfulness and places specific obligations on the controller and processor: • Data must be secured against accidental loss, damage or destruction • Processing must be lawful which means inter alia: - Data subject must provide explicit consent for processing for each service - The processing to be performed is necessary for the performance of a contract - processing is necessary for compliance with a legal obligation • Controllers have one month to process Subject Access Requests – no charges (unless vexatious)
  • 16. Lawfulness of ProcessingThe regulation seeks to clearly distinguish between the obligations placed upon controllers and processors. • Processors and Controllers must now have a legally binding contract • Controllers responsible for ensuring processors comply with contractual terms for processing information • Processors, like controllers, are required to implement appropriate security measures • The lead processor is required to reflect the same contractual obligations it has with the controller in a contract with any sub-processors and remains liable to the controller for the actions or inactions of any sub-processor.
  • 17. Consent• Consent must be clear and affirmative – no action on behalf of the data subject no longer implies consent • Controllers must be able to demonstrate that consent was given in a clear, intelligible and easily accessible way or else it is not binding • It must be possible for data subjects to withdraw consent at any time and must be as easy to withdraw as it is to give. This has significant implications on how data is processed • Special conditions for children under the age of 16 • Separate, explicit consent must be given for high risk personal data along with an outline of what the controller intends to do with it in terms of processing (except in protecting the public interest) • All information should be secured
  • 18. TransparencyNew obligations placed on controllers on how they interact with data subjects • Any communications need to be concise, transparent and intelligible • Controllers must provide clear unambiguous information about how and why a subjects’ data is collected and processed • Controllers have an obligation to proactively provide information about individuals within the organisation including the Data Controller and the Data Protection Officer and the specific rights a subject has • If data has been obtained indirectly (e.g. a mailing list), Controllers must take specific steps to notify affected subjects • All data subjects have rights to access their data including the right of erasure, the right of transfer and the right of accuracy
  • 19. Data SecurityA requirement on controllers and processors to implement a level of security appropriate to the risk. Techniques: • Pseudonymisation - Separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. • Encryption - Conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorised parties. • Minimisation - Reducing the data collection to the minimum required to deliver the service agreed by the data subject • Penetration Testing - Agreeing a process for regularly testing assessing and evaluating the effectiveness of security measures • Ensuring ongoing application of confidentiality, integrity and availability controls
  • 20. Data Breach NotificationThe GDPR stipulates specific requirements for breach notification The legislation defines a breach as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” • Processors must notify Controllers of any breach • Controllers must notify the Lead Supervisory Authority of high risk breaches without undue delay and where feasible not later than 72 hours after becoming aware of it • How and when a notification is made has a significant impact on mitigation from the Lead Supervisory Authority
  • 21. Notification Requirements• Notification to the ICO without undue delay (within 72 Hours) • Description of the nature of breach • Specify categories of data subjects (gender, adult or child, patient, student etc.) • The number of data subjects affected • The number of personal records breached • The likely implications of the breach • Details of Data Protection Officer • The measures taken to mitigate • Currently no requirement to notify if the breach is not considered high risk and the breach is unlikely to impact the rights and freedoms of data subject (guidance on what constitutes high risk to be confirmed)
  • 22. Notification RequirementsWhen a high risk breach has occurred, the data controller has specific obligations regarding communication to affected data subjects • Communication can be mandated by the supervisory authority • Communication must be carried out without undue delay • Communication must be in clear, plain language • Exceptions if appropriate measures have been implemented to minimise risk • Exceptions if communication would involve disproportionate effort compared to risk
  • 23. Why this is Important Between January – March 2016 the ICO was notified of 448 significant data breaches. Now more than ever before, the ethos needs to be that we will be breached eventually, and we need to prepare for that eventuality.

Editor's Notes

  1. This is a rather dry, formal definition but useful.
  2. This is a rather dry, formal definition but useful.
  3. This is a rather dry, formal definition but useful.