The document discusses the General Data Protection Regulation (GDPR), the new EU data privacy law taking effect May 25, 2018. It defines key terms related to personal data and outlines major changes under GDPR, including higher fines of up to 4% of global revenue, expanded territorial scope, strengthened individual rights around consent, access and erasure, mandatory breach reporting, privacy by design requirements, and mandatory appointment of data protection officers for some organizations. It also discusses how legal, technology and data functions will need to adapt, and provides best practices for organizations to assess their compliance.
7. Fines can add up to 4% of annual global
turnover or 20 Million Euros
€’000 → €’000,000
Previously fines were limited based on the size and the scope
of the impact.
GDPR fines will apply to both controllers and processors.
Key Changes of the GDPR
8. GDPR will cover more Territory
EU → World
GDPR will apply to all companies processing the
personal data of data subjects residing in the EU,
regardless of the company’s location.
Key Changes of the GDPR
9. Explicit and retractable consent
Must be provided in an intelligible and easily
accessible form, using clear and plain
language. It must be as easy to withdraw
consent as it is to give it.
Key Changes of the GDPR
10. Right to access and portability
Data subjects can request confirmation as to whether
or not personal data concerning them is being
processed, where and for what purpose. Further, the
controller shall provide a copy of the personal data,
free of charge, in an electronic format.
Key Changes of the GDPR
11. Breach notification within 72 hours
Now mandatory that breaches, which are likely to
“result in a risk for the rights and freedoms of
individuals”, are reported within 72 hours of first having
become aware of the breach.
Key Changes of the GDPR
72
12. Design privacy embedded systems
Now a legal requirement for the inclusion of data
protection from the onset of the designing of systems,
rather than a retrospective addition.
Key Changes of the GDPR
13. Right to be forgotten
Entitles the data subject to have the data controller
erase his/ her personal data, cease further
dissemination of the data, and potentially have third
parties halt processing of the data.
Key Changes of the GDPR
Your name
Last name
Age
14. Mandatory Data Protection Officers
A Data protection officer is mandatory for certain types of organizations.
Key Changes of the GDPR
15. All the different areas of your Organization
that will be affected by GDPR
● Legal and Compliance,
● Technology and
● Data
16. Legal & Compliance
● Many organizations will require to appoint a Data Protection Officer (DPO).
(refer article 37-39)
● There are estimates that there will be 28,000 new DPO’s in Europe alone.
● More emphasis is given on how organizations review their privacy policy
so that it is easier for visitors to understand
17. How the Legal & Compliance areas are affected
● With a fine as high as 4% of the overall income - there is a lot more
enforcement that will take place
● There will be more accountability requirements for organizations to prove
that they are GDPR compliant with regulators
● An increased demand for data officers will make it a challenge to find
qualified and competent professionals due to their short supply
● Organizations will have to provide more clarity and education
transparently to customers
18. From the Technology perspective
● When a security breach occurs, organizations will have 72 hours to report
it to regulators
● Individuals have the option to “opt-out” of being tracked and from having
their information being shared with third-party organizations and websites
● Even if organizations have encryption, they will still have to focus heavily
on how their data infrastructure is set up. This ultimately means that they
can’t be careless regardless of having encryption on their end
● There is more emphasis on “Privacy by Design” based on how new
technologies are deployed.
19. Data Storage Best Practices
● Organizations will have to demonstrate how they store their data, what
information is stored and how it is shared
● Data portability allows customers to request a copy of their data based on
a standardized format
● Customers have the right to be forgotten and can have their information
and data on them to be deleted
● There is more emphasis on the classification of data based on the
information being pseudo-anonymous
20. How to make sure that Your Organization is
compliant with GDPR
● Notify the key people in your organization about GDPR and the
compliance rules and regulations around it
● Assess your organization based on the above key points to verify what
needs to be done in order to make it GDPR compliant
● Put together the inventory of all the data collected, stored and with whom
that data is shared as well as how it is governed
● Implement GDPR by taking the approach on how data privacy is governed
and what are the associated roles and responsibilities
21. How to make sure that Your Organization is
compliant with GDPR (continued)
● Determine how compliance will be demonstrated, how your organization
will capture the consent of customers and how to make your privacy
policy more transparent in order to educate and inform customers
● Implement and deploy technology in order to comply with Privacy by
Design
● Make sure that your Organization has the right data governance policies
in place in order to respond effectively to the individual’s rights based on
GDPR
● Updating contracts with 3rd party tools that process customer data
● Cookie notification popup
● Keep a record of all European opt-ins
● Updating privacy policy and terms of services