Contenu connexe


Presentation on GDPR

  1. GDPR-General Data Protection Regulation Presented by: Dipanjan Dey
  2. GDPR - General Data Protection Regulation  What is GDPR?  The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. GDPR replaces the 1995 EU Data Protection Directive, and came into force on May 25, 2018. It also supersedes the 1998 UK Data Protection Act.  Who's covered under GDPR?  GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location. Many organisations outside the EU are unaware that the EU GDPR regulation applies to them as well. If an organization offers goods or services to, or monitors the behavior of EU residents, it must meet GDPR compliance requirements.  What it covers?  The main points of GDPR concern the privacy rights of everyday users and the data they create online, and will affect businesses of all sizes due to their effect on how companies gather, store, and look after their data.  What are the consequenses for non-compliance?  Any organisation found to not be conforming to the new regulations after the May 25 deadline could face heavy fines, equivalent to 4% of annual global turnover, or €20 million, whichever is greater
  3. Relevancy of GDPR in India  Direct impact the GDPR has on Indian businesses and people living in India  Indirect impact on India's legal approach to privacy and data protection  The biggest impact of the GDPR for India is probably the indirect, or the persuasive impact. Evidently, in preparation for the day this law kicks in, companies across the world have updated their consent terms and their privacy policies. An Indian Travelling to Europe A IT Company providing Goods & Services to a EU Consent Terms & Privacy Policy GDPR
  4. Jurisdiction of GDPR- A Global Law  Material Scope (Art.2)  Art. 2 governs the material scope of the GDPR and applied to applies to the processing of “personal data,” which is defined to mean any information relating to an identified or identifiable natural person.  Territorial Scope (Art.3)  Article 3 of the GDPR governs its territorial scope. Pursuant to Articles 3(1) and 3(2), the GDPR applies to businesses established in the EU, as well as to businesses based outside the EU that offer goods and services to, or that monitor, individuals in the EU. Article 3(3) adds that the GDPR also applies in places where EU Member State law applies by virtue of public international law.  Summary  Under the GDPR, jurisdiction is less related to the location where a business is incorporated or headquartered and more to the scope and location of business activity.  The GDPR will apply to the processing of personal data by businesses “established” within the EU.  More controversially, it also will apply to businesses outside the EU if their data processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behavior.  This latter provision expands the territorial scope of the GDPR well beyond the EU, essentially making it global law.
  5. Data Subject Rights  The General Data Protection Regulation (GDPR) grants people, in their capacities as consumers, citizens and so forth a range of specific data subject rights they can exercise under particular conditions, as per usual always with a few exceptions. GDPR compliance among others means enabling the exercise of these rights.  They are listed in GDPR Articles 15 until 22 as GDPR Article 12 on transparent information, communication and modalities for the exercise of the rights of the data subject stipulates.  Data subject rights are never absolute: there are, as mentioned conditions and exceptions, but there are also other rights to keep in mind.  Organizations have legal obligations and there might be contractual stipulations which override data subject rights. The8FundamentalDataSubjectRights
  6. Right to information (Art. 12, 13, 14)  This right provides the data subject with the ability to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing. For example, a customer may ask for the list of processors with whom his or her personal data is shared.  Before data is collected, a data subject has the right to know how it will be collected, processed, and stored, and for what purposes.  Create easy-to-read policies that provide explicit details on what information is being stored on an individual—and how it will be used. Ensure all data collection processes place informing the user before the collection of data.
  7. Right to Access (Art. 12, 15)  This right provides the data subject with the ability to get access to his or her personal data that is being processed. This request provides the right for data subjects to see or view their own personal data, as well as to request copies of the personal data.  After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes.  A service provider must implement a process and the technical capabilities to: a) track all data relating to the requestor in their systems, b) vet a right to access request, and c) provide that information to the requestor.
  8. Right to Rectification (Art. 12, 16)  This right provides the data subject with the ability to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.  A service provider must implement a process and the technical capabilities to: a) vet a right to access request, b) correct the data, and c) confirm correction to the requestor
  9. Right to Erasure or Forgotten (Art. 12, 17)  Also known as right to erasure, this right provides the data subject with the ability to ask for the deletion of their data. This will generally apply to situations where a customer relationship has ended. It is important to note that this is not an absolute right, and depends on your retention schedule and retention period in line with other applicable laws.  Implement a process and the technical capabilities to: a) track all data relating to requestor in your systems, b) vet a right to erasure request, c) erase all data in the request, and d) confirm that erasure to the requestor e) automatically delete data after a determined retention period f) Inform other processors to whom data was passed of the request.
  10. Right to Restrict Processing(Art. 12, 18)  A data subject has the right to block or suppress personal data being processed or used.  This includes implementation of a process and the technical capabilities to: a) track all data relating to requestor in our systems, b) vet a right to restriction of processing request, c) pause processing without erasing the data, and d) confirm the restriction in processing to the requestor.
  11. Right for Data Portability (Art. 12, 20)  This right provides the data subject with the ability to ask for transfer of his or her personal data. As part of such request, the data subject may ask for his or her personal data to be provided back (to him or her) or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.  A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format.  Wherever technically possible, this also includes the right to have the data transferred directly from one controller to another without the data subject having to handle the data
  12. Right to object to Processing (Art.12, 21)  Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defence of legal claims.  A data subject has the right to object to being subject to public authorities or companies processing their data without explicit consent.  A data subject also has the right to stop personal data from being included in direct marketing databases.
  13. Rights Related to Automated Decision-making(Art. 12, 22)  A data subject has the right to demand human intervention, rather than having important decisions made solely by algorithm.  A data controller must implement a process and the technical capabilities to: a) track all data relating to requestor in our systems, b) vet an Article 22 request, c) revert the algorithmic decision, and d) provide all information to a human decision-maker
  14. Exemptions  The GDPR release controllers from the obligation to comply with certain of the rights of data subjects, where the controller is able to demonstrate that it is not in a position to identify the data subject.  Recital 63 notes that this could extend to protection of intellectual property rights and trade secrets (for example, if release of the logic of automated decision taking would involve release of such information). However, the recital also notes that a controller cannot refuse to provide all information, on the basis that access may infringe others’ rights.  Exercising the right of freedom of expression (the processing of personal data carried out for journalistic purposes or the purpose of artistic or literary expression)  Reasons of public interest in the area of public health (such as cross-border health threats)  For historical, statistical and scientific research purposes  For compliance with a legal obligation to a Union or Member State law GDPR Exemptions Legal Obligation to a Member State Law Right to Freedom of Expression Data Subject unidentified Protection of IPR & Trade Secretcs Research Purposes Public Health