On 14/4/2016 EU Data Privacy had been approved the regulation which is, nowadays, mandatory. However companies have 2 years to carry out its suitability before receiving an economic penalty for not having completed it - deadline: 25/05/2016

1. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Ramiro Cid | @ramirocid
EU Data Protection regulation:
General Data Protection Regulation (GDPR)

2. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
2
Index
1. Approval process Slide 3
2. Main actors Slide 5
3. Main changes introduced by the GDPR Slide 6
4. Economic penalties Slide 10
5. Sources used to expand knowledge Slide 11

3. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 3
1. Approval process
Proposed
Formal
approval
Common position
of the European
Parliament
"Trilogue"
Agreed Final
2015
Common position
of the Council of
Europe
Application in the 28 EU
Member States
January
2012
May
2018
April 14th
2016
2nd half
of
2015
June
2015
March
2014
Time adjustment / adaptation: 2 years

4. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 4
1. Approval process
Approval main dates:
 14/4/2016: EU Data Privacy had been approved the regulation which is, nowadays, mandatory.
However companies have 2 years to carry out its suitability before receiving an economic penalty
for not having completed it.
 04/05/2016: EU Data Privacy regulation had been published in the official bulletin of the
European Union, after 20 days (25/05/2016) the new EU Data Privacy regulation became official.
(*)
(*) Published here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC

5. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 5
2. Main actors
Image courtesy of: Symantec Corporation

6. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 6
a) The need for registration files to the National Data Protection Authorities is deleted. However, both the
responsible and the person in charge of treatment should keep a written record, of the treatments they
made.
b) The “main establishment responsible” means the place of central administration in the EU with the
exception that if the purposes and means of processing are done in another state that this will
determined to be the principal establishment.
c) Reinforce the need to test and demonstrate compliance with the regulation by the Head of treatment
through the adoption and implementation of policies and measures.
d) The applicant must give express consent . This consent must be freely given, specific, informed and
unequivocal. For minors, a range of age between 13 and 16 years is set to give consent validly.
3. Main changes introduced by the GDPR

7. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 7
e) It is mandatory to report at the time of data collection. In addition, you will have to inform of the contact
details of the DPO, the shelf life of the data and the right to file a complaint, if necessary, to the
Supervisory Body.
f) Concerning the processing of personal data related to convictions and criminal offenses it is restricted to
public authorities.
g) Nothing new about ARCO rights, however, new rights have been incorporated: the right of withdrawal
(related to the right to forget), the right to limitation of the data and the right to data portability.
h) Introduction of the "Privacy by Design“ which consists on data protection by design and by default. The
concept is introduced into any new project that sustain a business. In addition, two new duties are
established: impact assessments when treatment is likely to be high risk and prior consultation to the
Supervisory Body, when an impact assessment is carried out.
3. Main changes introduced by the GDPR

8. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 8
i) Technical and organizational measures to ensure a level of security appropriate to the risk stockings have
to be applied in security measures.
j) Obligation to notify within 72 hours (from detection), about any violation of data security to the Control
Authority and, in certain cases, the person concerned is established.
k) Introduction of the leading figure “DPO” (Data Protection Officer) in large‐scale treatments.
l) Two new documents are introduced: a) code of conduct and b) certifications which help to ensure the
people who are outside that Regulation. A new European Data Protection seal has been created.
3. Main changes introduced by the GDPR

9. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 9
m) Regarding to international transfers, we distinguish between 4 scenarios: 1º list of countries which
ensure an adequate level of safety, 2º the authorizations granted before the Regulation becomes
effective shall remain valid until they are repealed, amended or replaced by the Control Authority or the
Commission; 3º transfers will be delivered by courts and; 4º the criterion of exceptions regulated in the
above Directive is maintained.
n) In this sense, when treatment is related to the supply of goods and services or monitoring of behaviors,
those responsible, who are not established in the EU, will have the obligation to appoint a
representative.
o) Control Authorities, shall cooperate, provide mutual assistance and establish consistency mechanisms
for the implementation of the Regulation.
p) Penalties of 10 million or up to 2% of the turnover of the previous year and 20 million or up to 4% of the
turnover of the previous year will be set.
3. Main changes introduced by the GDPR

10. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 10
4. Economic penalties
The General Data Protection Regulation (GDPR) have big economic penalties which will
start to be real after 2 years this regulation was approved so: May 2018
Penalties of 10 millions or up to 2% of global turnover for the previous year and
20 millions or up to 4% of global turnover for the previous year are established

11. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
 “General Data Protection Regulation (GDPR)” complete text + Formal approval | Eur-Lex Access to European Union Law
URL: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
 Reform of EU data protection rules | Eur-Lex Access to European Union Law
URL: http://ec.europa.eu/justice/data-protection/reform/index_en.htm
 Agreement on Commission's EU data protection reform will boost Digital Single Market - Press release | European
Commission website
URL: http://europa.eu/rapid/press-release_IP-15-6321_en.htm
 Questions and Answers - Data protection reform | European Commission website
URL: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm
 “General Data Protection Regulation” - Wikipedia
URL: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
5. Sources used to expand knowledge

12. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Questions?
Many thanks !
Ramiro Cid
CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL
ramiro@ramirocid.com
@ramirocid
http://www.linkedin.com/in/ramirocid
http://ramirocid.com http://es.slideshare.net/ramirocid
http://www.youtube.com/user/cidramiro