This document discusses the key aspects of the EU General Data Protection Regulation (GDPR) as it relates to processors. It defines key terms such as controllers, processors, and personal data. It outlines the requirements for processors under the GDPR, including having appropriate contracts with controllers, using sub-processors only with consent, cooperating with controllers and data protection authorities, maintaining security, and more. It also discusses data protection officers, international data transfers, data subject rights, and sanctions for non-compliance including large fines.
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Key highlights of the General Data Protection Regulation (GDPR), which organisations will need to consider when preparing for its coming into force on 25 May 2018.
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Key highlights of the General Data Protection Regulation (GDPR), which organisations will need to consider when preparing for its coming into force on 25 May 2018.
This webinar gives an overview of:
- The regulation landscape
- Territorial scope
- Remedies, liabilities and penalties
- Privacy notices
- The right of data subject
- Consent
- Data processing
- Profiling or "automated individual decision-making"
- International marketing and data transfers
A recording of this webinar is available here:
https://www.youtube.com/watch?v=Vr_CT24v2iI
This is a slightly modified version of a presentation that I gave to fellow lawyers last week. It explains what GDPR is, the policy of data protection and the evolution of data protection legislation from the OECD Guidelines and Council of Europe Convention to the GDPR. It explores the regulation focusing on the data protection principles and, in particular, the lawfulness requirement and the validity of consent. The presentation mentions the Law enforcement data protection directive, the Data Protection Bill and the arrangements post Brexit. Finally, it considers the preparations recommended by the Information Commissioner for small busiesses
Revising policies and procedures under the new EU GDPRIT Governance Ltd
This webinar covers:
- An overview of the regulatory landscape
- Territorial scope
- Remedies, liabilities and penalties
- Principles of the EU GDPR
- Policies - GDPR reference
- What if we don't have policies in place?
- What policies are required?
- How to develop a policy?
A recording of this webinar is available here:
https://www.youtube.com/watch?v=tzsXsf1058Q&feature=youtu.be
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
European government in 2016 adopted General Data Protection Regulation (GDPR) and was
put into effect on May 25, 2018, replacing the 1995’s Data Protection Directive to protect the
personal information of EU citizens. GDPR aims to govern personal data processing and ensure
processing is fair and lawful. It is also designed to emphasize the fundamental right to privacy.
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
This webinar gives an overview of:
- The regulation landscape
- Territorial scope
- Remedies, liabilities and penalties
- Privacy notices
- The right of data subject
- Consent
- Data processing
- Profiling or "automated individual decision-making"
- International marketing and data transfers
A recording of this webinar is available here:
https://www.youtube.com/watch?v=Vr_CT24v2iI
This is a slightly modified version of a presentation that I gave to fellow lawyers last week. It explains what GDPR is, the policy of data protection and the evolution of data protection legislation from the OECD Guidelines and Council of Europe Convention to the GDPR. It explores the regulation focusing on the data protection principles and, in particular, the lawfulness requirement and the validity of consent. The presentation mentions the Law enforcement data protection directive, the Data Protection Bill and the arrangements post Brexit. Finally, it considers the preparations recommended by the Information Commissioner for small busiesses
Revising policies and procedures under the new EU GDPRIT Governance Ltd
This webinar covers:
- An overview of the regulatory landscape
- Territorial scope
- Remedies, liabilities and penalties
- Principles of the EU GDPR
- Policies - GDPR reference
- What if we don't have policies in place?
- What policies are required?
- How to develop a policy?
A recording of this webinar is available here:
https://www.youtube.com/watch?v=tzsXsf1058Q&feature=youtu.be
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
European government in 2016 adopted General Data Protection Regulation (GDPR) and was
put into effect on May 25, 2018, replacing the 1995’s Data Protection Directive to protect the
personal information of EU citizens. GDPR aims to govern personal data processing and ensure
processing is fair and lawful. It is also designed to emphasize the fundamental right to privacy.
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
This presentation is an overview of the what, why, how, and creation of a social media policy. It also discusses the varies types of policies, the various laws and regulations that need to be considered when creating a policy. And finishes with a plethora of checklists, tools, templates, and resources.
ქართული ოცნება, წინასაარჩევნო დაპირებები და საარჩევნო პროგრამაKonstantin Stalinsky
1 დემოკრატიული განვითარება
11 ადამიანის უფლებები: ღირსება, თავისუფლება და უსაფრთხოება6
12 ადამიანის უფლებების დაცვის ინსტიტუციური მექანიზმები9
13 მმართველობის სისტემა, პოლიტიკური სისტემა და სამოქალაქო საზოგადოება12
2 ეკონომიკური განვითარება
21 მაკროეკონომიკური სტაბილურობა15
22 დასაქმება16
23 ბიზნესგარემო16
24 ეკონომიკური რეფორმები19
241 კაპიტალის ბაზრის რეფორმა19
242 საპენსიო რეფორმა19
243 მიწის რეფორმა19
244 საჯარო-კერძო პარტნიორობის სისტემის განვითარება20
245 ასოცირების შეთანხმებით განსაზღვრული სხვა ეკონომიკური რეფორმები20
25 სივრცითი მოწყობა20
26 თავისუფალი საგარეო სავაჭრო ურთიერთობები21
27 ინფრასტრუქტურული განვითარება21
28 დარგობრივი ეკონომიკური პოლიტიკა22
281 ენერგეტიკა22
282 სოფლის მეურნეობა23
283 ტრანსპორტი25
284 ტურიზმი25
29 რეგიონული ეკონომიკური პოლიტიკა26
210 გარემოს დაცვა27
3 სოციალური განვითარება
31 ჯანმრთელობის დაცვა და სოციალური უზრუნველყოფა29
311 ჯანმრთელობის დაცვა29
312 სოციალური დაცვა31
32 განათლება33
33 კულტურა, სპორტი, ახალგაზრდობის პოლიტიკა38
4 საგარეო ურთიერთობები, უსაფრთხოება და თავდაცვა
41 უსაფრთხოებისა და სუვერენიტეტის განმტკიცება, დეოკუპაცია და ტერიტორიული მთლიანობის აღდგენა41
42 ევროპული და ევროატლანტიკური ინტეგრაცია44
43 ქვეყნის თავდაცვისუნარიანობის გაძლიერება46
44 ამერიკის შეერთებულ შტატებთან სტრატეგიული თანამშრომლობის გაღრმავება47
45 რუსეთის ფედერაციასთან კონფლიქტის მშვიდობიანი დარეგულირება48
46 მეზობელ და რეგიონის სახელმწიფოებთან ურთიერთობების განმტკიცება და სტრატეგიული პროექტების განვითარება49
47 მსოფლიოს მასშტაბით საქართველოს ეკონომიკური მიმზიდველობისა და კულტურის პოპულარიზაცია50
48 საზღვარგარეთ მყოფი საქართველოს მოქალაქეების უფლებების დაცვა
და დიასპორასთან მჭიდრო კავშირების განვითარება51
მთავრობის 4 პუნქტიანი გეგმა53
The recent Facebook-Cambridge Analytica scandal has stirred heated discussions on privacy around the globe. An estimated 87 million people are affected by the data breach. Although the majority of the affected users are in the United States, Facebook published that personal data of over 1 million users in the Philippines, United Kingdom, and Indonesia are also compromised.
For the people who ratified the General Data Protection Regulation (GDPR), the answer is a resounding NO.
As Reinis Papulis of KRONBERGS ČUKSTE DERLING points out, “today’s level of technological development and role of personal data in the provision of various services has made it impossible to ensure the protection of personal data (privacy of individuals) at an adequate level with a legal act that was adopted in the second half of the 90's.”
This has prompted the EU to overhaul its defences against data breaches. Technology changes fast and data collection is at its peak today. Out of the necessity to protect consumers and uphold data privacy, the General Data Protection Regulation is set to be in full effect beginning May 25, 2018.
The battle for data privacy is not lost. And the enforcement of GDPR shows that we can still put up a good fight against companies that treat our personal data as commodities. However, there’s still a long way ahead of us.
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
The General Data Protection Regulation is one of the most wide ranging pieces of legislation passed by the EU in recent years. The GDPR comes into effect on 25 May 2018. The new framework is ambitious, complex and strict. It presents any organization that has so far failed to begin preparations with a steep challenge to become GDPR compliant in time.
We have summarized the key issues in our GDPR brochure.
"The EU General Data Protection Regulation: GDPR" - workshop held by Beatrice Masserini (Studio Cassinis, Italy) at the TRA Annual Meeting 2018 in Athens
General Data Protection Regulation (GDPR) is taking effect in May 2018
What does GDPR actually mean for organizations and data?
What's in Scope?
When must organizations be ready?
Article 15: Right of Access
Article 16: Right of Correction
Article 17: Right to be forgotten
Article 20: Right of Portability
Article 21: Right to object
Article 8: Children under 16
Article 24: Responsibility of the controller
Article 28: Data processor
Article 32: Technical measures
This presentation deals with insights on how an offshore IT organization has to get ready to align with General Data Protection Regulation issued by European union
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
These slides will cover:
-An overview of the regulatory landscape and territorial scope
-Principles of the EU GDPR
-Breach notification rules
-Data subject rights
-Changes to consent
-Processor liabilities
-Role of the Data Protection Officer
-International transfers
-Regulators and pan-European consistency
How will your business be affected and what you can do to stay ahead of the n...Carrenza
Topics covered include:
Key highlights of the new GDPR (General Data Protection Regulation)
Who is affected
‘Privacy Shield’ proposals versus US-EU Safe Harbour framework
Timeline for implementation and enforcement of GDPR
What should you be doing to prepare for the new legislation
Speaker line up
Martin Hoskins, Associate Director at Grant Thornton UK LLP
Matthew McGrory, Managing Director at Carrenza Ltd
A business that is not GDPR compliant by May 2018 may face a fine of 4% of its annual turnover
Reasons to attend
This session delivered in partnership with Grant Thornton will give you the knowledge on how to ensure compliance with GDPR and avoid penalties and highlight what companies can do now in light of the new legislation; what types of cascade effects there will be on operations and businesses; the impact of the privacy shield; and further discussion on what Brexit means for the GDPR.
How GDPR will change Personal Data Control and Affect EveryoneThomas Goubau
The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.
How GDPR will change Personal Data Control and Affect Everyone
SCCE Processors and GDPR
1. EU General Data Protection
Regulation and Processors
Robert Bond, BA, CCEP
2. Tel:
2
Partner
Robert Bond, CCEP
"astounding” Legal 500, 2015
"absolutely exemplary" and the fact that his
knowledge of data protection law is
"astounding, and his application equally
impressive."
Chambers UK, 2016
Robert Bond has over 37 years' experience in advising national
and international clients on all of their technology, data
protection and cyber law requirements. He is a legal expert and
author in the fields of e-commerce, computer games, media
and publishing, data protection, information security and cyber
risks.
He is Secretary of the Board of SCCE, Chairman of the Big
Data Governance committee of Tech UK and a member of the
UN Data Privacy Advisory Group to the United Nations
He is an Ambassador for Privacy by Design
rtjbond@icloud.com
3. Current EU law
Overview of GDPR
Controllers and processors
Contractual needs
Use of sub-processors
Role of DPO
Trans border data flows
Due diligence
14 January 20173
Today’s topics
GDPR and Processors
4. Term Definition
Data Controller A person who (either along or jointly in common with other
persons) determines the purposes for which and the manner
in which any personal data are, or are to be, processed
Data Processor Any person who (other than an employee of the data
controller) who processes the data on behalf of the data
controller
Personal data Data which relate to a living individual who can be identified
from those data, or from those data and other information
which is in the possession of, or is likely to come into the
possession of, the data controller
Data Subject An individual who is the subject of personal data
14 January 20174
Key definitions
Quick recap
5. Term Definition
Sensitive personal
data
Racial or ethnic origin, Political opinions, Religious beliefs
Trade Union Membership, Physical or mental health
condition, Sexual life, Criminal offences
Processing Recording or holding the information or data or carrying out
any operation or set of operations on the information or data
DPA/Supervisory
Authority
Tasked with the protection of personal data and privacy and
take enforcement action against those who do not comply
with the data protection law
Privacy Impact
Assessment
A tool that you can use to identify and reduce the privacy
risks of your projects. A PIA can reduce the risks of harm to
individuals through the misuse of their personal information.
It can also help you to design more efficient and effective
processes for handling personal data (DPA)
14 January 20175
Key definitions
Quick recap
6. 8 Key
principles
of DP law
Personal
data
must…
Be processed fairly and lawfully
Only be processed for one or more specified and lawful purposes and not further
processed in a manner incompatible with those purposes
Be adequate, relevant and not excessive
Be Accurate and where necessary kept up-to-date
Not be processed for longer than is necessary
In accordance with data subjects’ rights
Be protected by appropriate technical and organisational security measures
Not be transferred outside of the EEA unless that country ensures an adequate level of
protection for personal data
14 January 20176
Key principles
Quick recap
7. General Data Protection Regulation
Scope of regime:
Wider definition of Personal Data
All organisations
Pan-European (no local legislation)
Extra-territorial application
7
8. General Data Protection Regulation
• Documentation
• Breach notification –
Regulator & Data subject
Privacy Impact
Assessments
• Compulsory DPOs
• Certifications and seals
• International transfers
• One-stop shop regulation
• Cooperation and
consistency
• EU Data Protection Board
• Fines
• Sector exemptions – e.g.
Media & Health
• Definitions of Personal data
• Consent
• Children’s (Parental)
consent
• Information
• Data Subject rights &
access
• Right to be forgotten
• Data portability
• Controller and Processor
responsibilities
• Data protection by design
and default
• Designation for non-EU
controllers 8
9. Applies to controllers and processors
established in EU
Applies to any controller and processor
not located in the EU where the
processing activities are related to:
The offering of goods or services to data
subjects in the EU, irrespective of whether
a payment is required; or
The monitoring of their behaviour as far as
their behaviour takes place within the EU
14 January 20179
Applicability – New law
Preparing for GDPR
10. Controllers or processors not established in
the EU but where Article 3(2) applies must
designate in writing a representative
Representative must be established in a
member state where the data subjects whose
data are being processed by the controller or
processor are located (or where most of them
are located)
All DP issues from data subjects / data
protection authority should be addressed to
the representative
The designation of the representative does
not affect the responsibility and liability of the
controller or processor under the Regulation
14 January 201710
Representatives of controllers / processors not
Preparing for GDPR
11. Controller must ensure processor will comply with
GDPR
Must be an appropriate contract between controller
and processor
Processor must have adequate information security
Processor must not use sub-processors without consent
of the controller
Processor must co-operate with the relevant DPA
Processor must report data breaches to controller
without delay
Processor may need to appoint a DPO
Processor must keep records of processing activities
Processor must comply with EU trans border transfer
rules
Processor must help controller comply with data
subject rights
Processors are directly liable for non-compliance
GDPR and processors - overview
12. Documented instructions
Confidentiality
Information security
Control of sub-processors
Measures to help controller comply
with data subject rights
Co-operation with controller and DPA
Destruction or return of data at end of
contract
Provide controller with evidence of
GDPR compliance
Contractual needs
13. No use of sub-processors
without consent of controller
Any third party processing
personal data for a processor
is a sub-processor
Sub-processors must be
contractually controlled
Controllers are likely to do
considerable due diligence
Use of sub-processors
14. Notifications abolished
Applies to both controllers and processors
Mandatory requirement for:
Public authorities
Where the core activities…consist of
processing operations which, by virtue of
their nature, scope and / or their purposes,
require regular and systematic monitoring of
data subjects on a large scale; or
Where the core activities…consist of
processing on a large scale of special
categories of data and data relating to
criminal offences
14 January 201714
Data Protection Officers / Notifications – New Law
DPO
15. Possible to have one DPO for a
group of undertakings provided that
the DPO is ‘easily accessible from
each establishment’
DPO can be a member of staff or on
a service contract
Contact details of DPO must be
provided to the supervisory
authority
DPO must have ‘expert knowledge
of data protection law and practices’
Must be ‘independent’
Must report to the ‘highest
management level’
14 January 201715
Data Protection Officers / Notifications – New Law
DPO
16. 14 January 201716
Tasks of DPO
Inform and advise the controller or processor and the employees who are processing personal
data of their obligations under the Regulation
Monitor compliance with the Regulation, including the assignment of responsibilities,
awareness-raising of staff involved in processing operations and the related audits
To provide advice where requested as regard data protection impact assessments
Co-operate with the relevant data protection authority (DPA)
To act as a contact point for the DPA , in particular in relation to prior consultations referred to
in Article 34
17. Safe Harbor
Privacy Shield
European Commission approved
Model Contract Clauses
Binding Corporate Rules
Consent (although precarious to
rely on)
Codes of Conduct (Article 38)
Certifications / Seals (Article 39)
14 January 201717
Data Transfers – New Law
Trans border data flows
18. 14 January 201718
Data subjects rights – New Law
Data Subject Rights
Data
Subject
Rights
Information
(Art 14)
Access
(Art 15)
Rectification
(Art 16)
Erasure
(right to be
forgotten)
(Art 17)
Restriction of
processing
(Art 17a)
Data
portability
(Art 18)
Object
(Art 19)
Automated
decision
making /
profiling
(Art 20)
19. Sanctions for non-compliance – two levels of
fines…
Up to the greater of 2% annual worldwide
turnover of preceding financial year or EUR 10
million – for matters re internal record
keeping, data processor contracts, data
protection officers, data protection by design
and default
Up to the greater of 4% annual worldwide
turnover of preceding financial year or EUR 20
million – for matters re breaching data
protection principles, conditions for consent,
data subjects’ rights and international data
transfers
14 January 201719
Sanctions for non-compliance – New Law
Enforcements and fines
20. Due diligence
GDPR compliance
Data Protection audit
Do they process personal data and sensitive data?
What are their data flows?
What are their information security policies & procedures?
Have they had any breaches – notified or not?
Have they been audited by a DPA?
Who is their DPO?
Document data processing activities
Data processing map – intra group and third parties
Do they claim any ownership of personal data
Retention and destruction practices
Use of sub-processors
Review policies & procedures
Data breach response policy and procedures
Data sharing policy and procedures
Vetting of staff
Information security and cyber risk?
Training
20
21. Processors should….
Carry out a compliance assessment
Rewrite their terms of business
Audit their sub-processors
Review their insurance
Address data transfer solutions
Consider if they are a
processor/and or a controller
Assess their policies & procedures
Decide if a DPO is necessary
Anticipate their customers’ needs
Put in place staff training