VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
General Data Protection Regulation
1. General Data Protection Regulation
{OPOSEC - [0x37]}
Ant´onio Pinto
apinto@estg.ipp.pt
23 de novembro 2016
2. About me. . .
Teacher at ESTG of the Polytechnic of Porto
(Operating systems, Computer networks, Digital forensics)
Researcher at CRACS/INESC TEC
I like network security, digital forensics, data privacy
(and some other stuff :) )
2/12
3. Use of personal data may be ...
Researchers used anonymous browsing logs to
diagnose pancreatic cancer and compared it with real
cancer diagnostics. Their results were better by
5 months in advance. (Good!)
GIC release anonymized data on state employees
(mid-1990’s) that showed every single hospital visit.
Goal was to help researchers. Patient identifiers
were deleted. Privacy assured by the Governor of
Massachusetts. Someone cross checked it with local
voters rolls, Governor’s data was identified. (Bad!)
The end of anonymity is upon us! (Ugly!)
3/12
4. Should we regulate the use of personal data?
USA are more liberal, it’s all business ($)! Northern
countries (of Europe) view the state as friendly,
making public use of private date accepted more
easily. Portugal (and alike) view the state as foe!
A conflicting view is the ownership of the data. It may
belong to the data collector (USA) or to the data
subject (EU).
It’s a cultural issue!
4/12
5. General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679
GDPR aims to strengthen and unify data protection
for individuals within EU.
5/12
6. Key principles
Regulation (EU) 2016/679
Data collection and processing must be done with:
Lawfulness, fairness and transparency
Purpose limitation
Data minimization
Accuracy (and up to date)
Storage limitation
Integrity and confidentiality
Accountability
6/12
7. Rights of the data subject
Regulation (EU) 2016/679, Chapter III
To be informed using clear and plain language
To be informed of data collection
To access the collected personal data
To rectify the personal data
To be forgotten
To restrict data processing
To be informed of rectifications, erasures or restrictions
To data portability
To object (direct marketing, for instance)
To not be subject to automated individual decision-making
(including profiling)
7/12
8. General obligations of controllers
Regulation (EU) 2016/679, Chapter IV
Impose data protection by design and by default
Only use processors providing guarantees of compliance
Maintain records of processing activities
Cooperate with the supervisory authority
Implement a level of security appropriate to the risk
Notify the supervisory authority of data breach (72h)
Communicate data breach to the data subject (or publicly)
Data protection impact assessment (previous,consultation)
Designate a Data Protection Officer (DPO)
8/12
9. Data Protection Officer (DPO)
Regulation (EU) 2016/679, Chapter IV, Section 4
To be involved in all issues relating to protection of
personal data
Report directly to highest management level
Monitor compliance with GDPR
Advice on data protection impact assessments
Cooperate with the supervisory authority
9/12
10. Data transfers to outside EU
Regulation (EU) 2016/679, Chapter V
Transfers can occur to entities that comply with GDPR
Commission may define third countries as compliant
Transfers subject to appropriate safeguards are Ok
10/12
11. Remedies, liability and penalties
Regulation (EU) 2016/679, Chapter VIII
Fines:
20 million euros or 4% total worldwide annual turnover
(highest)
11/12
12. References
Regulation (EU) 2016/679
Screening for Pancreatic Adenocarcinoma Using Signals
From Web Search Logs: Feasibility Study and Results
John Paparrizos, Ryen W. White, Eric Horvitz
DOI: 10.1200/JOP.2015.010504 (August 2016)
“Anonymized” data really isn’t - and here’s why not
Nate Anderson
ars Technica, Blog post, 9/8/2009, 12:25 PM