The General Data Protection Regulation (GDPR) is an EU law that sets new standards for data protection and privacy for all individuals within the EU and regulates the export of personal data outside the EU. It requires companies to gain consent for data collection, provides rights for data access and portability for individuals, and increases fines for non-compliance up to 4% of global revenue. The GDPR also mandates appointment of data protection officers, principles of privacy by design, rights to be forgotten, and data breach notification within 72 hours.

1. General Data Protection
Regulation
(GDPR)

2. Overview
• The EU’s General Data Protection Regulation (GDPR) compliance law
has caused quite the buzz since approval in April 2016.
• GDPR attempts to ensure data protection for any EU citizen beginning
in May 2018.
• GDPR will require companies within EU countries and any company
that sends or retrieves data from EU countries, to comply with new
regulations involving data protection and data security. (That means
any global organisation based outside the EU as well.)

3. Introduction
• Businesses spending a lot of time and money in preparation for GDPR
• Compliance failure with GDPR after May 2018 comes with fines of up
to 4% of the company’s global revenue (not profit) or up to €20
million, along with damaged reputational damage and potential
lawsuits.

4. GDPR in a nutshell
• With GDPR, companies must notify authorities and customers of data
breaches within 72 hours of becoming aware of a security breach.
Companies must maintain customer records in order to inform
customers when and how their data is being used. Companies should
have the capabilities to provide customers a copy of their data if
requested and allow customers the facility to have their data erased.

5. Data Protection Officer
• For companies that process large amounts of EU citizens’ personal
data GDPR mandates the appointment of a data protection officer
(DPO), whose primary function is to ensure compliance with the
regulations.
• Expert on data protection law, business practices and technology and
security, and GDPR guidelines suggest the DPO should be located in
the EU.

6. Software Development Life Cycle (SDLC)
• GDPR impacts the software development life cycle for organizations
that plan to rollout projects within the EU.
• There are many types of SDLC’s utilised in industry, such as Agile,
DevOPS, Waterfall, Iterative, and so on. Despite the different names
and the different approaches, these numerous types of SDLC’s have
several high level common areas.

7. Software Development Life Cycle (SDLC)
• All SDLC’s have some form of the following phases:
• Plan
• Design
• Build
• Test
• Rollout
• Maintain
• GDPR will have an impact on all phases of the SDLC

8. IT Systems
• Generally, we find the following commonalities across IT systems.
• Data transport and security layer
• Database and data architecture layer
• Application and logic layer
• Presentation and portal layer
• GDPR will have an impact on all phases of the SDLC and all layers of IT
systems

9. GDPR Regulation
• The GDPR regulation was developed focusing on social networks,
cloud providers, any organisation collecting or processing data about
EU citizens or selling goods or services to EU citizens regardless of
whether the organisation is bases in the EU or not.
• Overarching idea
• Privacy by Design principles are required by default

10. GDPR Key Points
• Implementing data protection in the system and the organization, by
design and by default, is a legal requirement.
• Data is secured, and integrity and confidentiality are maintained,
using technical and organizational means under the management of
the Data Controller
• Data controllers and data processors are the two main parties which are
involved in the processing and, under the GDPR, duties regarding the
protection of personal data.

11. GDPR Key Points
• Data pseudonymization shall be used, when possible
• Data shall be anonymized, when possible
• Pseudonymization and Anonymization are different in one key aspect.
Anonymization irreversibly destroys any way of identifying the data subject.
Pseudonymization substitutes the identity of the data subject in such a way
that additional information is required to re-identify the data subject.
• Pseudonymization is a method to substitute identifiable data with a
reversible, consistent value. Anonymization is the destruction of the
identifiable data.

12. GDPR Key Points
• Processing attributes and (the processing) steps shall be provided to
the data subject in an easy to understand form at the time of data
collection, electronically or in writing
• A data subject has the right to ask a data controller whether his or her
personal data is being processed, and if so, can request access to both the
personal data and information on processing, the recipients and data
transfers (i.e. other companies and the data they have received).

13. GDPR Key Points
• Data subjects shall have the right to access and review the processing
of their data at any time.
• Data subjects have the right to know if and when their data is transferred to a
third country or an international organisation, along with the safeguards in
place to ensure ongoing protection of the data after transfer. A data controller
must provide a copy of any personal data undergoing processing at no charge
the first time it is requested

14. GDPR Key Points
• The data subject shall have a right to a copy of their data in a
commonly used format
• Data regarding a data subject shall be portable to another provider (or
perhaps even your competitor)

15. GDPR Key Points
• The data subject shall have the right to have their data updated, free
of charge, if there is an error.
• If a data controller holds inaccurate personal data about a data subject, the
data subject has the right to supply the correct information to get their
personal data updated. The data controller is required to rectify the
inaccurate information.

16. GDPR Key Points
• The data subject shall have the right to have their data erased
without undue delay (Right to be forgotten).
• Data controllers, on the other hand, have the ability under the GDPR to
decline an erasure request if it falls within one of the several exclusions such
as compliance with a legal obligation, public interest for public health, and
legal claims.
• Technological ability to erase all affected data promptly.
• The data controller must notify other IT organisations that hold the
data subject’s data that the data subject has requested data erasure.

17. GDPR Key Points
• The data subject shall have the right to object to processing,
withdraw consent to processing and opt-out of processing.
• Right to Restriction of Processing. A data subject has the right to have their
personal data excluded from future processing activities - either temporarily
or permanently
• Data controllers must keep records of the processing activities for which they
are responsible, with a list of specific information to be retained for each
record.

18. GDPR Key Points
• Data is stored only for the time necessary to meet the objectives of
the data subject. Out-of-date personal data shall not be stored. (Part
of an Electronic Records Management strategy).
• Data subject shall be notified of this time period or its calculation
approach at the time of the data capture.
• A data protection officer has the obligation to notify each recipient of any
personal data newly impacted by the exercise of a data subject's rights in
relation to rectification, erasure, or restriction. If the data subject requests
details on recipients, the data controller is required to supply it.
• The data subject can also object to processing for the purposes of direct
marketing and profiling for direct marketing activities.

19. GDPR Key Points
• A determination must be made, almost immediately, whether a data
breach is likely to have been a “high risk to the rights and freedoms of
the natural person” as such a technical environment must be in place
to identify, track and assess such breaches.
• All data breaches, no matter how small, must be reported to the
supervisory authority.
• Individuals affected by data breaches must be notified if the attack is deemed
to have adverse impact.
• Companies must notify authorities and customers of data breaches within 72
hours of becoming aware of a security breach.

20. GDPR Key Points
• An organisation must have a process for regularly testing, assessing,
and evaluating the effectiveness of technical and organizational
measures for ensuring the security of their processing