Details on the GDPR act ab d, DPO, DPA, General Data protection regulation, privacy law, European union,

1. The General Data Protection Regulation (GDPR):
The GDPR (General DataProtectionRegulation)isanew EU Regulationwhichwill replace the 1995 EU
Data ProtectionDirective (DPD) tosignificantlyenhance the protectionof the personal dataof EU
citizensandincrease the obligationson organizations whocollectorprocesspersonal data.The
regulationbuildsonmanyof the 1995 Directive’srequirementsfordataprivacyand securitybut
includesseveral newprovisionstobolsterthe rightsof datasubjectsandadd harsherpenaltiesfor
violations.
Regulation(EU) 2016/679 on the protectionof natural personswithregardto the processingof personal
data and on the free movementof suchdata.
The regulationisanessential steptostrengthencitizens'fundamental rightsinthe digitalage and
facilitate businessbysimplifyingrulesforcompaniesinthe digital singlemarket.A single law will also do
away withthe currentfragmentationandcostlyadministrative burdens.
The regulationcame intoforce on24 May 2016 and will applyfrom25 May 2018.
Whodoes the GDPR apply to?
The GDPR appliesto‘controllers’ and‘processors’.
A controllerdeterminesthe purposesandmeansof processingpersonal data.
A processorisresponsible forprocessingpersonal dataonbehalf of acontroller.
If you are a processor,the GDPR placesspecificlegalobligationsonyou;forexample,youare required
to maintainrecordsof personal dataand processingactivities.Youwill have legal liabilityif youare
responsible forabreach.
However,if youare a controller,youare not relievedof yourobligationswhereaprocessorisinvolved –
the GDPR placesfurtherobligationsonyoutoensure yourcontractswithprocessorscomplywiththe
GDPR.
The GDPR appliestoprocessingcarriedoutbyorganisationsoperatingwithinthe EU.It alsoappliesto
organisationsoutsidethe EUthat offergoodsor servicestoindividualsinthe EU.
The GDPR doesnotapplyto certainactivitiesincludingprocessingcoveredbythe Law Enforcement
Directive,processingfornational securitypurposesandprocessingcarriedoutbyindividualspurelyfor
personal/householdactivities.
What happenif we do not comply?
Effective,proportionateanddissuasive
Level 1 fines –up to greaterof 10,000,000 EUR or 2% of total worldwideannual turnover.
Level 2 fines –up to greaterof 20,000,000 EUR or 4% of total worldwide annual turnover.

2. What informationdoesthe GDPR apply to?
Personal data
The GDPR appliesto‘personal data’meaninganyinformationrelatingtoan identifiablepersonwhocan
be directlyorindirectlyidentifiedinparticularbyreference toanidentifier.
Thisdefinitionprovidesforawide range of personal identifierstoconstitute personal data,including
name,identificationnumber,locationdataoronline identifier,reflectingchangesintechnologyandthe
wayorganizationscollectinformationaboutpeople.
The GDPR appliestobothautomatedpersonal dataandto manual filingsystemswherepersonaldata
are accessible accordingtospecificcriteria.Thiscouldincludechronologicallyorderedsetsof manual
recordscontainingpersonal data.
Personal datathat has beenpseudonymised –egkey-coded –can fall withinthe scope of the GDPR
dependingonhowdifficultitisto attribute the pseudonymtoa particularindividual.
Sensitive personal data
The GDPR referstosensitivepersonaldataas“special categoriesof personal data”(see Article9).
The special categoriesspecificallyincludegeneticdata,andbiometricdatawhere processedtouniquely
identifyanindividual.
Personal datarelatingtocriminal convictionsandoffencesare notincluded,butsimilarextrasafeguards
applyto itsprocessing
Responsibilitiesandobligations:
Data controllervs.data processor
Privacyimpactassessment
Notice
Privacyby design
Individual’srights
Recordingprocessingactivities

3. Data security
What do we needtodo aboutdata security?Are there anyspecificrequirement?
a. No specificframeworkor technologiesrequired
b. Pseudonymizationandencryption
c. Privacy by design
d. Data Processor agreements.
e. Breach detection
Data Breaches:
A personal databreachmeansa breach of security leadingtothe accidental orunlawful destruction,
loss,alteration,unauthorizeddisclosureof,oraccessto, personal data.Thisincludesbreachesthatare
the resultof both accidental anddeliberate causes.Italsomeansthata breachis more than justabout
losingpersonal data.
Example
i. Personal databreachescan include:
ii. access byan unauthorizedthirdparty;
iii. deliberateoraccidental action(orinaction) byacontrolleror processor;
iv. sendingpersonal datatoan incorrectrecipient;
v. computingdevices containingpersonal databeinglostorstolen;
vi. alterationof personal datawithoutpermission;and
vii. lossof availabilityof personal data.
Data Minimizationvs Data Maximization
Data maximization:that is,collectingasmuchdata about consumersaspossible,sometimesbefore
theyknowexactlywhat,how,orwhenthat data will be used.Inadditiontheywill extractasmuch value
out of thisdata as theycan, includingattimes,reusingitforvariouspurposesorevensellingitto
anotherparty.One of the biggesttenetsof the GDPRis the principle of data minimization,thatis,that
firmscollectonlythe smallestamountof personal dataforthe shortestperiodof time possible,and
delete itasquicklyaspossible afteritsspecificpurposeiscompleted.
Individual rights underthe GDPR:
 Rightto be informed

4.  Rightof access
 Rightto rectification
 Rightto erasure
 Rightto restrictprocessing
 Rightto data portability
 Rightto object
 Rightsrelated toautomateddecisionmakingincludingprofiling
Data ProtectionOfficer:
Appointif core activitiesare
 Regularandsystematicmonitoringof datasubjectsona large scale,or
 Processingspecial categoriesof dataordata relatingtocriminal convictions/offencesonalarge
scale.
Checklistto ensure we fulfilledindividual rights:
1. Organizeddata:
To be able toprovide informationtothemasquicklyandas accuratelyas possible, make sure all the
data youhave is organized. Ina really organizedway,youcoulduse onitsownor withanotherbitof
information toidentifyaperson, theirname,theirphone number,theirtelephone number, photosof
them,theirIPaddressmake sure youknow what data youhave on people andidentifywhatthat is.
2. Data is secure,safe and not misleading
What measureshave yougotin place to make sure that nobodycouldleakhackor misplace thatdata.If
you're storingthat data digitallywhatsafetymeasurescouldyouputin place?
 Couldthe informationbe upthere inthe cloud?
 Do youhave antivirussoftware onall of yourdevices?
 If any of yourdeviceswere lostcouldyouremotelywipe outthatdata so nobodycouldaccess
it?
Similarly if youhave hardcopiesof yourdata whatare youdoing,are you securingthatsafely?Isit
lockedaway?Isit ina fireproof box?Are youmakingsure thatnoone couldaccess that information
whoshouldn'tbe youalsowant to make sure yourecord inthe riskassessment.Whatmeasuresyou've
gone to make sure that data are safe thisisgoingto make sure everybodyinyourteamknowsexactly
what'shappeningandshouldyoueverbe investigatedyou're showingthatyou've alreadytaken
necessaryprecautions

5. 3. Do not holdon to the data if you’re unsure about what to do with the data:
BeingGDPR compliantdon'tholdonto data unnecessarily andif youdon'tknow what you're goingto
do withityou needtobe totallysure of whyyou've got someone'sname oremail addressjustbecause
it mightbecome handyinthe future.
4. Fair processingpolicy:
Thisis somethingyou're likelyto alreadyhave inthisformof a privacy policy.It'sa documentthatreally
clearlyexplains whatdatayou're goingto be takingfrom people andhow you're goingto be usingit
everytime somebodyhandsoverabit of data to you,youwant to make sure that theyhave clearaccess
to yourfair processingnotice.GDPRhave askedthatthisfare policynotice hasnojargon
What are yougoingto do withthat information?Whenyouwrite inthisdocumenthere are some
questionstokeep inmind;
 What informationisbeing collected?
 Who iscollectingit?
 How isit beingcollected?
 Why isit beingcollected?
 How isit goingto be used?
 Who will itbe shared?
Withwhat will be the effectof thisonthe individuals;concernedisthe intendeduse likelyto cause
individualstoobjectorcomplain.
5. Have a processfor providingthe informationyou have on a person:
If somebodyaskswhatinformation doyouhave onme do youhave a process so that youcan easily
give thatto themso withthe newlawyou have to be able to supplypeoplewith whatinformation you
have on themif theyask,you have to supplythisinformationwithinone month of the maskinandyou
have to do itfree of charge so make sure you've gota processinplace so that youcan quickly getall the
informationyouhave onthemandsendthat overto them
6. Have a processfor deletingthe data:
Have a processinplace where if someone asksyoutodelete all their data;that's part of the new lawso
make sure you knowwhere all of the information youhave onthemissoyou can easily wipe off that.
Note:Individualshave more rightsunderthe GDPRincludingrightsto:have theirpersonal dataerased,
have inaccurate data corrected,be removedfromdigital marketing,andrequestpersonal databe
portedto anotherservice provider.
7. Allowpeople to positivelyopt-intoyou storing their data :

6. Allow peopletopositivelyopt-intoyouhavingtheirdataandusingitfor marketingpurposes. If you're
goingto use someone'sdataformarketingthey have totake some sort of action to say “yesyou can
have my data and yes you can use it for these reasons” that'sknownas positivelyopt-in.Itisusedto
be the case that youwouldgo on toa website and there wouldbe apre tickedbox that says yeahyou
can use my data for whateverthat's notthe case anymore people have toactivelytickthatbox or take
anotheraction whenan email comesthroughtotheirinbox thatsays clickthisbuttonto be part of our
mailinglistall sothatwe can use your informationforXY and says if you're collectingpeople's
informationin personyoucouldgetthemtosign somethingtosaythat they're happyfor you to use
theirdata inthisway or you couldget themto ticka box thatsays I'm happyfor youto do thiswhatever
it ismake sure that someone istakinganactionand you have evidencethatthey didthatclick.
8. Layered Opt-in:
Layeredopt-informallowsusersto have easyaccessto understandtheir informationandhow it'sgoing
to be usedbut itdoesn'tlookmessyinstead theycanclickona button and delve intomore information
if they'dlike abouthowyou're goingto use it.
9. Make it easy to opt out:
If you're usingpeople'sinformationto sendthemmarketingmake itreallyeasy forthemtooptout of it
if you're usingemailsyouneedtomake sure people canunsubscribe same with thingsliketext
messagesandcall services.
Similarly, if you're sendingmail topeople make sure thatyou're writingsomethingatthe bottomthat
tellsthemhowtheycanstop receiving the mail.The informationforoptingoutshouldbe reallyclear
and really obvious.(don'tuse anysmall printalso make sure youhave a reallystrict policy onhowyou're
goingto make sure someone thatopt-outdoesn'tgetanymore marketingmaterialsfromyouthisis
where youcouldreallyfall shorttoGDP law and getreportedandthat's when millioneurofinesare
goingto come knockingat yourdoor. If someone doesn'twanttoreceive anything anymore make sure
everyone inyourteam knowsthatand thennolongerreceiving).
10. Make sure all your team know about the newGDPR laws:
Justto showGDPR that you'll be very consciousof the laws, trainall of your employeesbecause it'sjust
as importantthat theydoit so yourwhole businessisn'tliable tobe extrasafe.
Appointsomeone inteamtobe the data protection officerandmake sure you've gotthisin writing.
That meansthat personis responsible forenforcingall the tips.One persontoll orresponsibilitymeans

7. that these tipsare much more likelytoget enforcedbecause theirchecksand balancesare replacing
businessandimplementstraightaway
Key Take Away:
 No mailingwithoutthe user’sconsent/optin.
 Properdata organizationtobe able to processthe data efficiently
 Replytoaddressshouldbe able tocapture the informationandactaccordingly.
 No crossmarketing/selling.
 MaintainData transparencywiththe users.
 Continuous Trackof user action.
 Let userknowwe are usingcookiestotrack theirinformation
 Agreementondatasecuritybetweencontrollerandprocessori.e.betweenourlegal teamand
HubSpot
 DPO to complyDGPRguidelinesandresponse all datarelevantqueries.
 Anyinformationsoughtbyanyuserto fulfillwithinstipulatedtime andfree of cost.
 Plancampaignto sendto our existingcustomeraskingthemtooptinagainto be able to
continue receivingemailfromus.
 A properdocumentonhowour data isbeingstoredensuringsafety,securityandprivacy.
 Identifythe geolocationof the userandact/take necessaryprecautionespeciallyto users
residesin EU.
 Get assurance inwrittenfrom ourprocessori.e. HubSpotthattheyare fullyincompliance with
the GDPR and readyfor any kindof legal queries.
 Track user detailslikesignupIP,signupdate,time stamp,and clickedhistoryof layeredoptin
to deal withusercomplaints.
Misc. Terms:
Data Subject
A personwholivesinthe EU
Personal Data
Anyinformationrelatedtoanidentified/identifiabledatasubject(e.g.,name,national IDnumber,
address,IPaddress,healthinfo)
Controller
A company/organisationthatcollectspeople’spersonal dataandmakesdecisionsaboutwhattodowith
it.So if you’re collectingpersonal dataandare determininghow itwill be processed(forexampleusing
the HubSpotservicestomarketto prospectsand customers),you’re the Controllerof thatdataand
mustcomplywithapplicable dataprivacylegislationaccordingly.
Processor

8. A company/organisationthathelpsacontrollerby“processing”databasedonitsinstructions,but
doesn’tdecide whattodowithdata. Sofor example,HubSpotisthe processorof the datayoucollectin
your HubSpotportal.We don’tcontrol how you collectoruse the data; we merelyprocessitonyour
behalf andonyour instruction.
Processing
Anyoperationorset of operationswhichisperformedonpersonal dataoron setsof personal data,by
automatedmeansorotherwise,suchascollection,recording,organisation,structuring,storage,
adaptationor alteration,retrieval,consultation,use,disclosurebytransmission,disseminationor
otherwise makingavailable,alignmentorcombination,restriction,erasureordestruction.
Data ProtectionOfficer(DPO)
A representative foracontroller/processorwhooverseesGDPRcompliance andisadata-privacyexpert
Data Privacy Impact Assessment(DPIA)
A documentedassessmentof the usefulness,risks,andrisk-mitigationoptionsforacertaintype of
processing
SupervisoryAuthority
Formerlycalled“dataprotectionauthorities”;one ormore governmental agenciesinamemberstate
whooversee thatcountry’s data privacyenforcement(e.g.,Ireland’sOfficeof the Data Protection
Commissioner,Germany’s18 national/regional authorities)
Third Countries
Countriesoutside the EU
Pseudonymisationtakesthe mostidentifyingfieldswithinadatabase andreplacesthemwithartificial
identifiers,orpseudonyms.Forexampleaname isreplacedwithaunique number.The purpose isto
renderthe data recordlessidentifyingandtherefore reduce concernswithdatasharinganddata
retention.
Personal data breach
A personal databreachmeansa breach of securityleadingtothe accidental orunlawful destruction,
loss,alteration,unauthoriseddisclosureof,oraccessto, personal data.Thisincludesbreachesthatare
the resultof both accidental anddeliberate causes.Italsomeansthata breachis more than justabout
losingpersonal data.