SlideShare a Scribd company logo

Legal obligations and responsibilities of data processors and controllers under the GDPR

Download as PPTX, PDF
IT Governance Ltd
IT Governance Ltd

This webinar covers: -The definitions of ‘data controller’ and ‘data processor’ under the GDPR.​ -The responsibilities and obligations of controllers and processors.​ -The data breach reporting responsibilities of controllers and processors.​ -The liability of, and penalties that may be imposed on, data processors and controllers.​ -The appointment of joint controllers and subcontracting processors The webinar can be found here https://www.youtube.com/watch?v=cyUPGGD3iVg&t=8s

Business
1 of 39
Legal obligations and responsibilities of data processors and controllers under the GDPR Presented by: • Alan Calder, founder and executive chairman, IT Governance 3 August 2017
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Alan Calder • Founder of IT Governance • The single source for IT governance, cyber risk management and IT compliance • IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th Edition (Open University textbook) • www.itgovernance.co.uk • Introduction
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance Ltd: GRC one-stop-shop All verticals, sectors and all organisational sizes
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • The definitions of ‘data controller’ and ‘data processor’ under the GDPR. • The responsibilities and obligations of controllers and processors. • The data breach reporting responsibilities of controllers and processors. • The liability of, and penalties that may be imposed on, data processors and controllers. • The appointment of joint controllers and subcontracting processors. Agenda Copyright IT Governance Ltd 2017 – v1.0
The definitions of ‘data controller’ and ‘data processor’ under the GDPR
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Article 99: Entry into force and application • UK organisations that process the personal data of EU residents have only a short time to make sure that they are compliant. • The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. “This Regulation shall be binding in its entirety and directly applicable in all Member States.” Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679 8 April 2016 Council of the European Union adopted the GDPR 12 April 2016 The GDPR was adopted by the European Parliament. 4 May 2016 The official text of the Regulation was published in the Official Journal of the EU 24 May 2016 The Regulation entered into force 25 May 2018 The GDPR will apply
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(1) ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(7) ‘Controller means the natural or legal person, public authority, agency or any other body that, alone or jointly with others, determines the purposes and means of the processing.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(8) ‘Data processor’ means a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(2) ‘Processing’ means any operation or set of operations that is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
The responsibilities and obligations of controllers and processors
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations To comply with the GDPR, data controllers must determine: • The legal basis for collecting data; • Which items of personal data to collect, i.e. the content of the data; • The purpose or purposes the data is to be used for; • Which individuals to collect data about; • Whether to disclose the data and, if so, to whom; • Whether subject access and other individuals’ rights apply, i.e. the application of exemptions; and • How long to retain the data or whether to make non-routine amendments to the data.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Controller Adhere to codes of conduct Implement technical and organisational measures Implement data protection policies
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Article 28: Processor A legal contract must make sure that the processor: • Processes the personal data only on documented instructions from the controller; • Makes sure that persons authorised to process the personal data observe confidentiality; • Takes appropriate security measures; • Respects the conditions for engaging another processor; • Assists the controller by appropriate technical and organisational measures; • Assists the controller in ensuring compliance with the obligations to the security of processing; • Deletes or returns all the personal data to the controller after the end of the provision of services; and • Makes available to the controller all information necessary to demonstrate compliance with the Regulation.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Within the terms of the agreement with the data controller and their contract, a data processor may decide: • What IT systems or other methods to use to collect personal data; • How to store the personal data; • The detail of the security surrounding the personal data; • The means used to transfer the personal data from one organisation to another; • The means used to retrieve personal data about certain individuals; • The method for making sure a retention schedule is adhered to; and • The means used to delete or dispose of the data.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations • Article 5: Principles relating to processing of personal data • “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” 1 • Processed lawfully, fairly and in a transparent manner 2 • Collected for specified, explicit and legitimate purposes 3 • Adequate, relevant and limited to what is necessary 4 • Accurate and, where necessary, kept up to date 5 • Retained only for as long as necessary 6 • Processed in an appropriate manner to maintain security Accountability
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Article 12, clause 2 (and recital 59): The controller must facilitate the exercise of data subject rights. 1 • The right to be informed. 2 • The right of access. 3 • The right to rectification. 4 • The right to erasure. 5 • The right to restrict processing. 6 • The right to data portability. 7 • The right to object. 8 • Rights in relation to automated decision making and profiling. Responsibilities and obligations
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Article 30: Records of processing activities • The controller or their representative shall maintain a record of processing activities containing all of the following information: – The name and contact details of the controller, joint controller, the controller's representative and data protection officer (DPO); – The purposes of the processing; – A description of the categories of data subjects and of the categories of personal data; – The categories of recipients to whom the personal data has been or will be disclosed; – International transfers of personal data and the documentation of appropriate safeguards; – The envisaged time limits for erasure of the different categories of data; – A general description of the technical and organisational security measures implemented.
The data breach reporting responsibilities of controllers and processors
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities The definition of a personal data breach in the GDPR: • A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data processor to notify the data controller: • Notification without undue delay after becoming aware. • No exemptions. • All data breaches have to be reported.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data controller to notify the supervisory authority: • Notification without undue delay and not later than 72 hours. • Unnecessary in certain circumstances. • Description of the nature of the breach. • No requirement to notify if unlikely to result in a risk to the rights and freedoms of natural persons. • Failure to report within 72 hours must be explained.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data controller to communicate a personal data breach to data subjects: • Communication to the data subject without undue delay if high risk. • Communication in clear plain language. • Supervisory authority may compel communication with the data subject. Exemptions if: • Appropriate technical and organisational measures are taken; • A high risk to a data subject will not materialise; or • Communication with a data subject would involve disproportionate effort.
The liability of, and penalties that may be imposed on, data processors and controllers
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Article 79: Natural persons have rights • Judicial remedy where their rights have been infringed as a result of the processing of personal data.  In the courts of the Member State where the controller or processor has an establishment.  In the courts of the Member State where the data subject habitually resides. • Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. • The controller involved in processing shall be liable for damage caused by processing. Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties • In each case, fines will be effective, proportionate and dissuasive. • Fines administered will take into account technical and organisational measures implemented. • €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. • €20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year. Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Article 83: General conditions for imposing administrative fines • The nature, gravity and duration of the infringement; • The intentional or negligent character of the infringement; • Any action taken by the controller or processor to mitigate the damage suffered by data subjects; • The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them; Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Copyright IT Governance Ltd 2017 – v1.0 Article 82: Right to compensation and liability • Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. • The controller involved in processing shall be liable for damage caused by processing. • The processor is liable only for damage caused by processing or where it has acted contrary to lawful instructions of the controller. • Exemption for the controller and processor where they are not responsible. • Joint and several liability to ensure effective compensation. • Compensation clawback provision.
The appointment of joint controllers and subcontracting processors
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers • When two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. Article 29: Working party guidance • Joint controllers should appoint one establishment, which has the power to implement decisions about processing with respect to all the joint controllers.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers shall: • Determine the responsibilities and obligations in a transparent manner and determine their respective responsibilities for compliance; • Designate a point of contact for exercising the rights of the data subject; and • Decide on the respective duties to: • Provide data subjects with access to the information collected; and • Provide information about the controller where personal data has not been obtained from the data subject.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers • To determine their responsibilities and obligations by means of arrangement. • The arrangement between joint controllers shall be made available to the data subject. Article 26 (3): Liability of joint controllers • Joint controllers are jointly and individually liable. • A joint controller may be exempt from liability if it can prove no responsibility for the data breach.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 27: Representatives of controllers or processors not established in the Union Where the controller or the processor is not established in the Union: • They shall designate in writing a representative in the Union. • A representative shall be established where data processing or profiling resides. • The representative shall be mandated to be addressed by supervisory authorities and data subjects for the purposes of the Regulation. • The designation of a representative does not absolve the controller or processor from legal liabilities.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Subcontracting processors Copyright IT Governance Ltd 2017 – v1.0 Data processors may appoint a sub-processor • Data processors may only process data on behalf of a controller where a written agreement is made between the two parties. • The agreement should outline the obligations and responsibilities, as set out in the GDPR. • Data processors may not engage a sub-processor or contract a data processing service provider without the controller’s authorisation.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Subcontracting processors Copyright IT Governance Ltd 2017 – v1.0 Sub-processors or subcontracted processors shall: • Only process data in accordance with the controller’s instructions; • Maintain records of data processing activities; • Make sure that persons authorised to process the personal data observe confidentiality; • Take appropriate security measures; • Assist the controller by applying appropriate technical and organisational measures; • Assist the controller in ensuring compliance with the obligations to the security of processing; • Delete or return all the personal data to the controller after the end of the provision of services; and • Make available to the controller all information necessary to demonstrate compliance with the Regulation.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Self-help materials A Pocket guide www.itgovernance.co.uk/shop/P roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/Pr oduct/eu-general-data-protection- regulation-gdpr-an- implementation-and-compliance- guide Documentation toolkit www.itgovernance.co.uk/shop/P roduct/eu-general-data- protection-regulation-gdpr- documentation-toolkit Compliance Gap Assessment Tool www.itgovernance.co.uk/shop/Pr oduct/eu-gdpr-compliance-gap- assessment-tool
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Training courses One-day accredited Foundation course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course One-day data protection impact assessment (DPIA) workshop (classroom) www.itgovernance.co.uk/shop/Product/data-protection-impact- assessment-dpia-workshop
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Gap analysis • Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. • Data flow audit • Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. • Information Commissioner notification support (a legal requirement for DPA compliance) • Organisations that process personal data must complete a notification with the Information Commissioner under the DPA. • Implementing a personal information management system (PIMS) • Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. • Implementing an information security management system (ISMS) compliant with ISO 27001 • We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001-compliant ISMS quickly and without hassle, no matter where your business is located. • Cyber Health Check • The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure. IT Governance: GDPR one-stop shop GDPR consultancy
Questions?

Recommended

GDPR 2.0 - Data Controllers v Processors
GDPR 2.0 - Data Controllers v ProcessorsGDPR 2.0 - Data Controllers v Processors
GDPR 2.0 - Data Controllers v ProcessorsAdam Wood
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Data protection
Data protectionData protection
Data protectionRaviPrashant5
 

Recommended

GDPR 2.0 - Data Controllers v Processors
GDPR 2.0 - Data Controllers v ProcessorsGDPR 2.0 - Data Controllers v Processors
GDPR 2.0 - Data Controllers v ProcessorsAdam Wood
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Data protection
Data protectionData protection
Data protectionRaviPrashant5
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for DummiesCaroline Boscher
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
GDPR
GDPRGDPR
GDPRGopi PD
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspectiveDr. Mira Suleimenova, CIPPe
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by designTommy Vandepitte
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 

More Related Content

What's hot

GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by designTommy Vandepitte
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 

What's hot (20)

Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
GDPR
GDPRGDPR
GDPR
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 

Similar to Legal obligations and responsibilities of data processors and controllers under the GDPR

The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
The GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farThe GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farPECB
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementBlack Duck by Synopsys
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
The Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and ProtectionThe Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and ProtectionAtlas_Cloud
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 

Similar to Legal obligations and responsibilities of data processors and controllers under the GDPR (20)

The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
The GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farThe GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so far
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
The Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and ProtectionThe Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and Protection
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 

More from IT Governance Ltd

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security cultureIT Governance Ltd
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardIT Governance Ltd
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...IT Governance Ltd
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 

More from IT Governance Ltd (20)

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programme
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 

Recently uploaded

Vendors of country report usefull datass
Vendors of country report usefull datassVendors of country report usefull datass
Vendors of country report usefull datassDilipParmar63
 
Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corp.
 
Unveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptx
Unveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptxUnveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptx
Unveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptxmy Pandit
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterNathanBaughman3
 
BeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdfBeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdfDerekIwanaka1
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationAUDIJEAngelo
 
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...ssuserf63bd7
 
How to Maintain Healthy Life style.pptx
How to Maintain Healthy Life style.pptxHow to Maintain Healthy Life style.pptx
How to Maintain Healthy Life style.pptxrdishurana
 
Creative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team PresentationsCreative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team PresentationsSlidesAI
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...BBPMedia1
 
Using Generative AI for Content Marketing
Using Generative AI for Content MarketingUsing Generative AI for Content Marketing
Using Generative AI for Content MarketingChuck Aikens
 
Hyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings releaseHyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings releaseirhcs
 
The Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdfThe Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdfMont Surfaces
 
Falcon Invoice Discounting Setup for Small Businesses
Falcon Invoice Discounting Setup for Small BusinessesFalcon Invoice Discounting Setup for Small Businesses
Falcon Invoice Discounting Setup for Small BusinessesFalcon investment
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptseri bangash
 
State of D2C in India: A Logistics Update
State of D2C in India: A Logistics UpdateState of D2C in India: A Logistics Update
State of D2C in India: A Logistics UpdateRedSeer
 
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...Khaled Al Awadi
 
IPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best ServiceIPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best ServiceDragon Dream Bar
 
USA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdfUSA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdfsuperbizness1227
 
The Leading Cyber Security Entrepreneur of India in 2024.pdf
The Leading Cyber Security Entrepreneur of India in 2024.pdfThe Leading Cyber Security Entrepreneur of India in 2024.pdf
The Leading Cyber Security Entrepreneur of India in 2024.pdfinsightssuccess2
 

Recently uploaded (20)

Vendors of country report usefull datass
Vendors of country report usefull datassVendors of country report usefull datass
Vendors of country report usefull datass
 
Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024
 
Unveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptx
Unveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptxUnveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptx
Unveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptx
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
 
BeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdfBeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdf
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxation
 
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
 
How to Maintain Healthy Life style.pptx
How to Maintain Healthy Life style.pptxHow to Maintain Healthy Life style.pptx
How to Maintain Healthy Life style.pptx
 
Creative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team PresentationsCreative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team Presentations
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
 
Using Generative AI for Content Marketing
Using Generative AI for Content MarketingUsing Generative AI for Content Marketing
Using Generative AI for Content Marketing
 
Hyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings releaseHyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings release
 
The Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdfThe Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdf
 
Falcon Invoice Discounting Setup for Small Businesses
Falcon Invoice Discounting Setup for Small BusinessesFalcon Invoice Discounting Setup for Small Businesses
Falcon Invoice Discounting Setup for Small Businesses
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
State of D2C in India: A Logistics Update
State of D2C in India: A Logistics UpdateState of D2C in India: A Logistics Update
State of D2C in India: A Logistics Update
 
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
 
IPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best ServiceIPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best Service
 
USA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdfUSA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdf
 
The Leading Cyber Security Entrepreneur of India in 2024.pdf
The Leading Cyber Security Entrepreneur of India in 2024.pdfThe Leading Cyber Security Entrepreneur of India in 2024.pdf
The Leading Cyber Security Entrepreneur of India in 2024.pdf
 

Legal obligations and responsibilities of data processors and controllers under the GDPR

  • 1. Legal obligations and responsibilities of data processors and controllers under the GDPR Presented by: • Alan Calder, founder and executive chairman, IT Governance 3 August 2017
  • 2. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Alan Calder • Founder of IT Governance • The single source for IT governance, cyber risk management and IT compliance • IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th Edition (Open University textbook) • www.itgovernance.co.uk • Introduction
  • 3. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance Ltd: GRC one-stop-shop All verticals, sectors and all organisational sizes
  • 4. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • The definitions of ‘data controller’ and ‘data processor’ under the GDPR. • The responsibilities and obligations of controllers and processors. • The data breach reporting responsibilities of controllers and processors. • The liability of, and penalties that may be imposed on, data processors and controllers. • The appointment of joint controllers and subcontracting processors. Agenda Copyright IT Governance Ltd 2017 – v1.0
  • 5. The definitions of ‘data controller’ and ‘data processor’ under the GDPR
  • 6. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Article 99: Entry into force and application • UK organisations that process the personal data of EU residents have only a short time to make sure that they are compliant. • The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. “This Regulation shall be binding in its entirety and directly applicable in all Member States.” Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679 8 April 2016 Council of the European Union adopted the GDPR 12 April 2016 The GDPR was adopted by the European Parliament. 4 May 2016 The official text of the Regulation was published in the Official Journal of the EU 24 May 2016 The Regulation entered into force 25 May 2018 The GDPR will apply
  • 7. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(1) ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly.
  • 8. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(7) ‘Controller means the natural or legal person, public authority, agency or any other body that, alone or jointly with others, determines the purposes and means of the processing.
  • 9. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(8) ‘Data processor’ means a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller.
  • 10. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key definitions Article 4(2) ‘Processing’ means any operation or set of operations that is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
  • 11. The responsibilities and obligations of controllers and processors
  • 12. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations To comply with the GDPR, data controllers must determine: • The legal basis for collecting data; • Which items of personal data to collect, i.e. the content of the data; • The purpose or purposes the data is to be used for; • Which individuals to collect data about; • Whether to disclose the data and, if so, to whom; • Whether subject access and other individuals’ rights apply, i.e. the application of exemptions; and • How long to retain the data or whether to make non-routine amendments to the data.
  • 13. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Controller Adhere to codes of conduct Implement technical and organisational measures Implement data protection policies
  • 14. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Article 28: Processor A legal contract must make sure that the processor: • Processes the personal data only on documented instructions from the controller; • Makes sure that persons authorised to process the personal data observe confidentiality; • Takes appropriate security measures; • Respects the conditions for engaging another processor; • Assists the controller by appropriate technical and organisational measures; • Assists the controller in ensuring compliance with the obligations to the security of processing; • Deletes or returns all the personal data to the controller after the end of the provision of services; and • Makes available to the controller all information necessary to demonstrate compliance with the Regulation.
  • 15. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Within the terms of the agreement with the data controller and their contract, a data processor may decide: • What IT systems or other methods to use to collect personal data; • How to store the personal data; • The detail of the security surrounding the personal data; • The means used to transfer the personal data from one organisation to another; • The means used to retrieve personal data about certain individuals; • The method for making sure a retention schedule is adhered to; and • The means used to delete or dispose of the data.
  • 16. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations • Article 5: Principles relating to processing of personal data • “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” 1 • Processed lawfully, fairly and in a transparent manner 2 • Collected for specified, explicit and legitimate purposes 3 • Adequate, relevant and limited to what is necessary 4 • Accurate and, where necessary, kept up to date 5 • Retained only for as long as necessary 6 • Processed in an appropriate manner to maintain security Accountability
  • 17. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Article 12, clause 2 (and recital 59): The controller must facilitate the exercise of data subject rights. 1 • The right to be informed. 2 • The right of access. 3 • The right to rectification. 4 • The right to erasure. 5 • The right to restrict processing. 6 • The right to data portability. 7 • The right to object. 8 • Rights in relation to automated decision making and profiling. Responsibilities and obligations
  • 18. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Responsibilities and obligations Article 30: Records of processing activities • The controller or their representative shall maintain a record of processing activities containing all of the following information: – The name and contact details of the controller, joint controller, the controller's representative and data protection officer (DPO); – The purposes of the processing; – A description of the categories of data subjects and of the categories of personal data; – The categories of recipients to whom the personal data has been or will be disclosed; – International transfers of personal data and the documentation of appropriate safeguards; – The envisaged time limits for erasure of the different categories of data; – A general description of the technical and organisational security measures implemented.
  • 19. The data breach reporting responsibilities of controllers and processors
  • 20. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities The definition of a personal data breach in the GDPR: • A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • 21. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data processor to notify the data controller: • Notification without undue delay after becoming aware. • No exemptions. • All data breaches have to be reported.
  • 22. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data controller to notify the supervisory authority: • Notification without undue delay and not later than 72 hours. • Unnecessary in certain circumstances. • Description of the nature of the breach. • No requirement to notify if unlikely to result in a risk to the rights and freedoms of natural persons. • Failure to report within 72 hours must be explained.
  • 23. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Data breach reporting responsibilities Obligation for the data controller to communicate a personal data breach to data subjects: • Communication to the data subject without undue delay if high risk. • Communication in clear plain language. • Supervisory authority may compel communication with the data subject. Exemptions if: • Appropriate technical and organisational measures are taken; • A high risk to a data subject will not materialise; or • Communication with a data subject would involve disproportionate effort.
  • 24. The liability of, and penalties that may be imposed on, data processors and controllers
  • 25. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Article 79: Natural persons have rights • Judicial remedy where their rights have been infringed as a result of the processing of personal data.  In the courts of the Member State where the controller or processor has an establishment.  In the courts of the Member State where the data subject habitually resides. • Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. • The controller involved in processing shall be liable for damage caused by processing. Copyright IT Governance Ltd 2017 – v1.0
  • 26. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties • In each case, fines will be effective, proportionate and dissuasive. • Fines administered will take into account technical and organisational measures implemented. • €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. • €20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year. Copyright IT Governance Ltd 2017 – v1.0
  • 27. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Article 83: General conditions for imposing administrative fines • The nature, gravity and duration of the infringement; • The intentional or negligent character of the infringement; • Any action taken by the controller or processor to mitigate the damage suffered by data subjects; • The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them; Copyright IT Governance Ltd 2017 – v1.0
  • 28. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Remedies, liabilities and penalties Copyright IT Governance Ltd 2017 – v1.0 Article 82: Right to compensation and liability • Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. • The controller involved in processing shall be liable for damage caused by processing. • The processor is liable only for damage caused by processing or where it has acted contrary to lawful instructions of the controller. • Exemption for the controller and processor where they are not responsible. • Joint and several liability to ensure effective compensation. • Compensation clawback provision.
  • 29. The appointment of joint controllers and subcontracting processors
  • 30. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers • When two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. Article 29: Working party guidance • Joint controllers should appoint one establishment, which has the power to implement decisions about processing with respect to all the joint controllers.
  • 31. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers shall: • Determine the responsibilities and obligations in a transparent manner and determine their respective responsibilities for compliance; • Designate a point of contact for exercising the rights of the data subject; and • Decide on the respective duties to: • Provide data subjects with access to the information collected; and • Provide information about the controller where personal data has not been obtained from the data subject.
  • 32. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 26: Joint controllers • To determine their responsibilities and obligations by means of arrangement. • The arrangement between joint controllers shall be made available to the data subject. Article 26 (3): Liability of joint controllers • Joint controllers are jointly and individually liable. • A joint controller may be exempt from liability if it can prove no responsibility for the data breach.
  • 33. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The appointment of joint controllers Copyright IT Governance Ltd 2017 – v1.0 Article 27: Representatives of controllers or processors not established in the Union Where the controller or the processor is not established in the Union: • They shall designate in writing a representative in the Union. • A representative shall be established where data processing or profiling resides. • The representative shall be mandated to be addressed by supervisory authorities and data subjects for the purposes of the Regulation. • The designation of a representative does not absolve the controller or processor from legal liabilities.
  • 34. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Subcontracting processors Copyright IT Governance Ltd 2017 – v1.0 Data processors may appoint a sub-processor • Data processors may only process data on behalf of a controller where a written agreement is made between the two parties. • The agreement should outline the obligations and responsibilities, as set out in the GDPR. • Data processors may not engage a sub-processor or contract a data processing service provider without the controller’s authorisation.
  • 35. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Subcontracting processors Copyright IT Governance Ltd 2017 – v1.0 Sub-processors or subcontracted processors shall: • Only process data in accordance with the controller’s instructions; • Maintain records of data processing activities; • Make sure that persons authorised to process the personal data observe confidentiality; • Take appropriate security measures; • Assist the controller by applying appropriate technical and organisational measures; • Assist the controller in ensuring compliance with the obligations to the security of processing; • Delete or return all the personal data to the controller after the end of the provision of services; and • Make available to the controller all information necessary to demonstrate compliance with the Regulation.
  • 36. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Self-help materials A Pocket guide www.itgovernance.co.uk/shop/P roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/Pr oduct/eu-general-data-protection- regulation-gdpr-an- implementation-and-compliance- guide Documentation toolkit www.itgovernance.co.uk/shop/P roduct/eu-general-data- protection-regulation-gdpr- documentation-toolkit Compliance Gap Assessment Tool www.itgovernance.co.uk/shop/Pr oduct/eu-gdpr-compliance-gap- assessment-tool
  • 37. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Training courses One-day accredited Foundation course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course One-day data protection impact assessment (DPIA) workshop (classroom) www.itgovernance.co.uk/shop/Product/data-protection-impact- assessment-dpia-workshop
  • 38. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Gap analysis • Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. • Data flow audit • Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. • Information Commissioner notification support (a legal requirement for DPA compliance) • Organisations that process personal data must complete a notification with the Information Commissioner under the DPA. • Implementing a personal information management system (PIMS) • Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. • Implementing an information security management system (ISMS) compliant with ISO 27001 • We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001-compliant ISMS quickly and without hassle, no matter where your business is located. • Cyber Health Check • The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure. IT Governance: GDPR one-stop shop GDPR consultancy