2. GDPR EXECUTIVE OVERVIEW
GENERAL DATA PROTECTION REGULATION
2
The objective of the GDPR is harmonization of EU regulations to enhance
the rights of EU citizens to govern the privacy of their personal information
and ensure organizations provide the right protections.
The GDPR applies to EU and non-EU organizations that:
(i) offer goods or services to EU residents;
(ii) monitor the behavior of EU residents
The GDPR effective date:
May 25, 2018
Penalties:
Up to 20,000,000 EUR or 4% worldwide revenue from the previous
fiscal year (Article 83). Fines are determined by the Data Protection
Authority (Supervisory Authority).
* The “Articles” referenced in this document refer to the articles included in the GDPR regulation. A
link to the regulation text is included in the Appendix section of this document.
3. GDPR EXECUTIVE OVERVIEW
GDPR CONCEPTS
3
Principles, privacy, and protection represent the core focus for GDPR readiness.
Organizations must focus on adhering to principles, implementing processes to
satisfy privacy rights of the individual, and securing data.
Principles
Data processed lawfully, fairly, and transparently
Only collect personal data needed
Accuracy of personal data must be maintained
Minimize the time data is kept in a form to
identify data subjects
Maintain the confidentiality and integrity of
personal data
Privacy (rights of data subjects)
Transparent information, communication and
modalities for the exercise of the rights of the
data subject
Information to be provided where personal data
are collected from the data subject
Right of access by the data subject
Right to rectification
Right to erasure (‘right to be forgotten’)
Right to restriction of processing
Right to data portability
Protection (controllers and
processors)
Data Protection Officer (DPO)
Data protection by design
Records of processing activities
Security of processing
Notification of a personal data breach to the
supervisory authority
Communication of a personal data breach to the
data subject
Data protection impact assessment
Code of conduct
4. GDPR EXECUTIVE OVERVIEW
EXECUTION
4
GDPR requires the organization to address privacy and security of personal
data. A proven approach to gaining clarity on GDPR relevance and
understanding how to execute is described below. The Data Protection
Officer (DPO) must lead the effort to achieve and maintain alignment.
Preparation
• Assign data privacy
ownership
• Understand the
regulation
Assessment
• Understand the risk
of activities
• Perform Readiness
Assessment
Implementation
• Inform the
Organization
• Address consent
• Address rights of
the individual
• Protect personal
data
Maintenance
• Operationalize
GDPR controls
5. GDPR EXECUTIVE OVERVIEW
KEY CONSIDERATIONS
5
GDPR readiness can be complex for some organizations. Leadership should
begin to prepare the organization for the journey.
1. Key is establishing the DPO role (internal or external)
2. Gain clarity on the organization’s responsibility
3. Complying with rights of the individual is not trivial – business processes,
service desk, and technology impacts. Factor effort into 2018 budget –
resource impact is key consideration (assuming good security practices).
4. Processor assessment is key – liability isn’t shifted to the processor
5. Certification is not defined and is not required. DPA (supervisory
authority) will assign certification bodies and certification guidelines.
Move forward with readiness while tracking DPA guidance.
6. GDPR EXECUTIVE OVERVIEW
GDPR MISPERCEPTIONS
6
Understanding GDPR requirements can be complex. There are several
common misperceptions that should be clarified.
1. A Data Protection Officer is required for all organizations
2. Each GDPR incident will carry a fine equivalent to the greater of 20 mil Euro
or 4% annual worldwide revenue
3. Consent is always required for processing of personal data
4. Parental consent is always required when collecting personal information
from a child
5. Individuals have the absolute right to be forgotten
6. Biometric data is sensitive data
7. Controllers do not require processing agreements with processors – GDPR
takes care of this
Notes de l'éditeur
“Personal data”* means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier:
Name;
Identification number;
Location data;
Online identifier (e.g., email address);
Physical and/or physiological;
Genetic;
Economic;
Cultural or ethnic
Security of processing – anonymization and psuedonymization represent additional security requirements (potentially)
Data processed lawfully: consent obtained, processing conducted in accordance with stated purpose, and complies with GDPR
Code of conduct establishes readiness with GDPR. Communicates how the organization will comply and manage risk.
'cross-border processing' means either:
(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
The critical path is implementing business processes to address the rights of the individual – right to access personal data, right to correction, right to be forgotten, etc.
Understanding data – what data do you have?
Data governance – What data do I have? How is it used? Do I need it? How do I protect it.
Be able to defend controls
Joint Controllers and data ownership – how does this work
Cross-border traffic – where does it apply and what are the implications
Data subjects ability to withdraw consent – what’s the impact
Certification w/ Supervisor Authority
Anonymization of personal data – blurring/fuzzing of non-data subjects in video and other media
Customers leaving the platform – how does this work and what are the implications
Records of processing Activities (Article 30 (5)) - applicability to dscout.
How to handle Privacy Policy separate from agreeing to TOS?
Joint Controllers and data ownership – how does this work
Cross-border traffic – where does it apply and what are the implications
Data subjects ability to withdraw consent – what’s the impact
Certification w/ Supervisor Authority
Anonymization of personal data – blurring/fuzzing of non-data subjects in video and other media
Customers leaving the platform – how does this work and what are the implications
Records of processing Activities (Article 30 (5)) - applicability to dscout.
How to handle Privacy Policy separate from agreeing to TOS?