This document provides an overview of the EU General Data Protection Regulation (GDPR) which takes effect on May 25, 2018. It discusses the issues with how organizations currently manage data and how GDPR aims to better protect consumer data. Key points include expanded definitions of personal data, increased rights for data subjects, higher fines for non-compliance, and new requirements for consent, transparency, accountability, and breach notification. It outlines four steps businesses need to take, including reviewing policies, establishing a legal basis for processing, demonstrating compliance, and considering appointing a data protection officer.
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
Why GDPR? 4 Steps to GDPR Compliance
1. Why GDPR?
The issues with how organisations manage data at
present
What is GDPR and how will help protect
consumers?
What do businesses need to know?
4 steps to be GDPR compliant
Preparing for 25th May 2018
2. THE WORLD HAS CHANGED
Over 3 million
data records are lost or stolen
every day
Existing EU Directives are not enough to protect European Citizens
4. OVERVIEW OF EU GENERAL DATA PROTECTION
REGULATION
General Data Protection Regulation – enforced by EU
Expands on some parts of DPA/existing Directive;
creates other new requirements
Determines how personal data should be processed
and used
Comes into effect on 25 May 2018, regardless of
Brexit
What is GDPR?
5. SO WHAT?
Impacts every data controller and processor dealing
with data on subjects in Europe
79 times higher than previous fines
Potential fines of up to 4% of your organisation’s annual turnover or €20,000,000 – Whichever
is higher
Who? Means:
Data subject Any EU citizen who has entrusted a controller with
their personal data.
Customers, service users, employees
Data
controller
Who the data subject entrusts with their data.
Responsible for deciding how the data is handled.
Data
processor
Any entity that handles personal data on the data
controller's behalf.
7. What’s new?
Expanded definition of “personal data”
Transparency and consent
Enhanced rights for data subjects
Accountability
Data protection by design
Notifying subjects of data breaches
New rights you need to know
Rights
to
Be informed
Access
Rectification
Erasure
Restrict
Processsing
Data
Portability
Object
8. Personal data
Any form of automated data processing to analyse or predict:
Performance at work
Economic situation
Health
Personal preferences
Reliability
Behaviour
Location
Movements
Are you keeping, or planning to keep:
Personal or sensitive data such as
cookies, IP addresses, biometric data,
genetic data?
9. 4 Requirements for Your Data Protection Policy
1) Legal basis for processing
2) Legitimate interests (if any)
3) Right to lodge complaint
4) How long data will be retained
Clear, concise and accessible
10. Consent
Freely given, specific, informed and unambiguous
Clear affirmative action
Provided separately from other written agreements
Verifiable
As easily withdrawn as given
Hint!
Large and complex structured
organisations benefit from an
EQMS to manage policies and
procedures, approval workflows
and monitor compliance
activity.
Make employees accountable:
http://quality.eqms.co.uk/eqms
-datasheets-download
Get your policies and processes in order
11. Poor Passwords
Weak remote access
Unpatched flaws
Misconfigurations
Malicious Insider
http://www.computerworlduk.com/security/most-data-breaches-still-discovered-by-third-parties-3615783/
The average time between breach
and discovery is
188 DAYS
DATA BREACHES ARE USUALLY PREVENTABLE
Protect your reputation with proactive policies, employee training & robust systems
12. Notification of data breaches
Destroyed, lost, altered, disclosed to or accessed by
unauthorised people
Reported to:
Supervisory authority
Discrimination, reputational damage, financial loss,
confidentiality
Individual(s) affected
Same, but high risk
Report within 72 hours of breach
Accountability is key
Hint!
EQMS Workflow Manager
assigns responsibility and
manages incidents such as a
data breach through to
completion. Everyone knows
what they are doing, when.
Make employees accountable:
http://quality.eqms.co.uk/eqms
-software-demonstration
13. Accountability – Data protection by design
Must demonstrate compliance with GDPR - How?
Policies and procedures (audits, HR policies)
Staff training
Pseudonymisation
Data protection impact assessments
Appointing data protection officer
Robust systems to protect employees and customers
Hint!
EQMS provides a robust
framework for managing
business processes. Manage
policies, assign responsibility
and use the audit trail function
to demonstrate compliance
activity.
Read more:
http://quality.eqms.co.uk/eqms
-software-demonstration
14. Enhanced rights for data subjects
Right to:
Confirmation that data is being processed
Receive data
Rectify any inaccurate or incomplete data
‘Be forgotten’
Restrict processing of data
Obtain and re-use data for own purposes
Accountability is key
15. Example Timeline for GDPR Compliance Training
Workshop with high interest / high power stakeholders:
What data do we have?
What data are we planning to have?
How can we minimise risk? E.g. pseudonymisation.
Make department managers accountable for the data they capture:
Has each department manager completed a data protection impact assessment? (Use EQMS Audit
Manager & assign audit to be completed by each department manager.)
Are the policies sufficient?
Are controls in place to demonstrate opt-in?
Do we need to get permission to continue using this data?
Do we need a Data Protection Officer?
Roll out training Train employees on the new GDPR requirements - EQMS Training Record Manager
Employees aware & engaged with their GDPR requirements. (Use EQMS Training Manager training
matrix to easily manage which employees have outstanding training requriements)
Steps to getting GDPR-ready
18. Steps to compliance
Review data protection policies
Establish legal basis for processing
Identify how to demonstrate compliance
Consider whether to appoint DPO
19. 1) Review policies
Individuals told about right to object, at first communication
Understanding of what constitutes “data breach” – more than loss of data
Procedures for detecting, investigating and reporting breaches
Insurance coverage in case of breach
20. 2) Establish legal basis for processing
Be clear on grounds for lawful processing
If consent:
Obtained correctly, as mentioned earlier
Subjects informed of right to withdraw at any time, and given
simple methods to do so
21. 3) Demonstrate compliance
New policies – data protection by design
Regular audits
Staff training
Pseudonymisation
Review and update existing information notices
22. 4) Consider a data protection officer
Informs and advises on obligations
Monitors compliance – manages internal activities and audits, trains staff
First point of contact for supervisory authorities and data subjects
Compulsory that DPO:
Reports to board/directors
Independent, and not penalised for performing job
Has resources to meet obligations
Can be existing employee as long as compatible and no conflict of interest
No qualifications, but should have professional experience and knowledge of law
24. DOWNLOAD GDPR TOOLKIT
Q U A L I T Y . E Q M S . C O . U K / G D P R - G E N E R A L - D A T A - P R O T E C T I O N - R E G U L A T I O N - E U - T O O L K I T
Notes de l'éditeur
General Data Protection Regulation
Today's presentation is about the General Data Protection Regulation (GDPR), a new data protection law.
First of all, bit of background information on the regulation – why it's being enforced and so on.
Then go into a little more detail about what it means for businesses – how businesses will be affected, what they'll need to do to make sure they comply.
Finish off by focusing on what it means for Qualsys in particular.
General Data Protection Regulation
General Data Protection Regulation
General Data Protection Regulation
It's the General Data Protection Regulation, and it's being enforced by the EU.
Broadly similar to the UK Data Protection Act, deals with things such as fairness, lawfulness, transparency, data security, and confidentiality. Data protection laws in force in most EU countries for about 20 years, so many organisations already have basics in place and won’t need to make too many adjustments.
It’s the first global data protection law in that any company worldwide that works with information relating to EU citizens MUST COMPLY. Not just limited to companies based in the EU.
Centred around the use of “personal data”, which has always been a fairly broad definition but has changed a little in regards to GDPR.
Comes into effect on 25 May 2018, regardless of Brexit.
General Data Protection Regulation
It's the General Data Protection Regulation, and it's being enforced by the EU.
Broadly similar to the UK Data Protection Act, deals with things such as fairness, lawfulness, transparency, data security, and confidentiality. Data protection laws in force in most EU countries for about 20 years, so many organisations already have basics in place and won’t need to make too many adjustments.
It’s the first global data protection law in that any company worldwide that works with information relating to EU citizens MUST COMPLY. Not just limited to companies based in the EU.
Centred around the use of “personal data”, which has always been a fairly broad definition but has changed a little in regards to GDPR.
Comes into effect on 25 May 2018, regardless of Brexit.
General Data Protection Regulation
General Data Protection Regulation
Businesses will already be complying with the Data Protection Act and the existing EU Directive. But what new requirements does GDPR enforce?
Expands definition of "personal data" – brings in some new categories of data that have mostly arisen due to the proliferation of the internet
Transparency and consent – new requirements around obtaining permission from individuals to use their personal data, and justifying why you're using it
Enhanced rights – GDPR gives data subjects several new rights, which we'll look at
Accountability – holding organisations accountable is a big part of the new regulation. Organisations expected to adopt significant new measures to demonstrate that they're complying with GDPR.
Expands definition set out in the DPA and the previous EU directive.
"Personal data" still means things like names, ID numbers and physical information, but now also covers location data and online identifiers such as IP addresses and cookies.
Data protection laws use the term "sensitive personal data" to cover things like race/ethnicity, politics, religious beliefs, sexual orientation etc. GDPR does the same, but also includes biometric and genetic data.
Biometric data = any data relating to a person's physical, physiological or behavioural characteristics which allows them to be identified.
Genetic data = any data relating to characteristics someone has inherited and which allows information about their health to be identified.
As most organisations keep only HR records, customer lists, contact details etc., the change should make little practical difference. Can assume that if you hold information that falls within the scope of the DPA, also falls within the scope of the GDPR.
General Data Protection Regulation
Organisations have a duty to tell individuals how their personal data is processed. And they must do so in a format which is clear, concise and easily accessible.
That information must include the legal basis for processing. For data processing to be legal under the GDPR, organisations must document why they're processing the data because this legal basis determines the individual's rights. If you're processing someone's data because they've explicitly given you their consent, for example, that person will generally have stronger rights.
Other legal bases for processing data might be:
Necessary to obey the law
Necessary to perform a task in the public interest
The information should also include details of any legitimate interests the organisation has for using the data. That could be direct marketing, preventing fraud, or making sure the IT networks are secure.
The data subject should be told what right they have to lodge a complaint about how their data is stored and used, and how long their data will be retained.
General Data Protection Regulation
GDPR refers to both ‘consent’ and ‘explicit consent’, but is unclear as to the difference given that both forms have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes.
Consent under the GDPR requires some form of clear affirmative action, whether that's clicking a tick box or actively choosing a setting. Just because the person hasn't specifically said no doesn't mean they've said yes. And pre-ticked boxes are now banned.
Consent to processing must be distinguishable, clear, and not “bundled” in with other written agreements.
Consent must be verifiable. So some form of record must be kept of how and when the person gave their consent.
Individuals have a right to withdraw consent at any time, and doing this should be as easy as it was for them to give their consent.
General Data Protection Regulation
At present, the average time between data breach and discover is 188 days. Under the new GDPR rules, this is not going to be acceptable. More robust systems are required to protect your organisation, customer and suppliers.
General Data Protection Regulation
Under GDPR, all organisations have a duty to report certain types of data breach to the relevant authority, and in some cases to the individuals affected.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. For example, a hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls.
So a breach is more than just losing personal data.
An organisation only has to notify the relevant supervisory authority of a breach where it is likely to put people's rights and freedoms at risk – so that might be causing discrimination, reputational damage, financial loss, or a loss of confidentiality.
Where a breach is likely to put people's rights and freedoms at high risk, the organisation must notify those concerned directly. So the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.
A breach of this kind must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. If the breach is serious enough to warrant notifying the public, the organisation must do so straight away.
Failing to give notice of a breach could lead to a fine of up to 10 million Euros or two per cent of the business's global turnover.
General Data Protection Regulation
Accountability has always been an important element of data protection law, but the GDPR gives it more significance.
"Data protection by design" means promoting privacy and data protection compliance from the start when beginning a new project (might be building a new IT system, or an initiative to share data with other organisations).
Under the Data Protection Act, it was always a recommendation rather than an obligation. Under GDPR, organisations must be able to demonstrate their compliance with the principles of the regulation.
How to do this? Could:
Build into policies and procedures – e.g. new HR policies, carrying out regular audits
Implement staff training programmes
Use pseudonymisation – which is processing personal data in such a way that it can no longer be attributed to a specific "data subject" without the use of additional information, which must be kept separately and subject to the same measures
If processing "high risk" data, now a formal requirement to carry out a data protection impact assessment to identify risks of non-compliance.
Assessment must include a description of how and why data is processed, the risks involved, and measures employed to mitigate those risks.
Any organisation can appoint a data protection officer (DPO) but public authorities, and organisations who process sensitive data or criminal records on a large scale or regularly monitor data subjects (e.g. tracking online behaviour), MUST do so.
General Data Protection Regulation
The GDPR gives data subjects a number of new rights when it comes to their personal data.
They're entitled to:
confirmation that their data is being processed, and to see a copy of that data
have their personal data rectified if it's inaccurate or incomplete
'be forgotten' – so they can ask for their data to be deleted or removed if there's no longer a compelling reason for it to be processed
restrict their personal data from being processed – for example, they might contest its accuracy, or need it for a legal claim. If processing is restricted, the organisation can store the data, just not process it
obtain and reuse their personal data as they see fit.
General Data Protection Regulation
Accountability has always been an important element of data protection law, but the GDPR gives it more significance.
"Data protection by design" means promoting privacy and data protection compliance from the start when beginning a new project (might be building a new IT system, or an initiative to share data with other organisations).
Under the Data Protection Act, it was always a recommendation rather than an obligation. Under GDPR, organisations must be able to demonstrate their compliance with the principles of the regulation.
How to do this? Could:
Build into policies and procedures – e.g. new HR policies, carrying out regular audits
Implement staff training programmes
Use pseudonymisation – which is processing personal data in such a way that it can no longer be attributed to a specific "data subject" without the use of additional information, which must be kept separately and subject to the same measures
If processing "high risk" data, now a formal requirement to carry out a data protection impact assessment to identify risks of non-compliance.
Assessment must include a description of how and why data is processed, the risks involved, and measures employed to mitigate those risks.
Any organisation can appoint a data protection officer (DPO) but public authorities, and organisations who process sensitive data or criminal records on a large scale or regularly monitor data subjects (e.g. tracking online behaviour), MUST do so.
General Data Protection Regulation
General Data Protection Regulation
General Data Protection Regulation
General Data Protection Regulation
Our data protection policies must ensure that we tell people, during our first contact with them, that they have a right to object to our processing their data.
All our staff will need to understand what constitutes a data breach, and that this is more than just a loss of data.
We'll need to have internal procedures in place for detecting, investigating and reporting breaches. This will help us to decide who we need to notify.
If there is a data breach and someone without the correct authority gets access to it, then the IT teams need to be able to implement appropriate measures to render the data unintelligible.
We might also need to review our insurance policies to assess the extent of our coverage in case of any data breaches.
General Data Protection Regulation
In Qualsys's case, our legal basis for processing is likely to be that we're doing so with the subject's consent. If other reasons apply, we'll need to have processes that allow us to demonstrate how we've reached decisions on how we use data.
If we're using consent as our basis for lawful processing, we need to make sure it's consent we've obtained correctly, in line with the provisions mentioned earlier. So clear affirmative action, consent given separately, and so on. We also need to ensure we make data subjects’ aware of the right to withdraw their consent at any time, and provide them with simple methods to do so.
General Data Protection Regulation
To demonstrate our compliance with GDPR, we’ll need to draw up a data protection policy. And if we do that from a data-protection-by-design standpoint, we can make sure we’re promoting privacy and data protection compliance from the very beginning.
We can also strengthen our compliance by building certain measures into the policy, so, for example, conducting regular audits, training staff in data protection principles, pseudonymisation and so on.
General Data Protection Regulation
If we decide to appoint a DPO, there are a number of things we need to do to make sure they can operate to the best of their ability.
As part of their role, the DPO would be:
informing and advising the company about our obligations to comply with GDPR and other data protection laws;
monitoring our compliance – including:
managing internal data protection activities
advising on data protection impact assessments
training staff, and
conducting internal audits; and
the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc.).
It’s compulsory that the DPO:
reports to the board/directors
operates independently and is not penalised for doing their job
has sufficient resources to meet their GDPR obligations
The DPO can be recruited from our existing pool of employees, but their duties would need to be compatible and avoid any conflict of interest. Whoever was chosen would not need any special qualifications, but should have professional experience and knowledge of data protection law.
General Data Protection Regulation
So, to finish, we know that in a year’s time there will be a new EU regulation that determines how businesses such as ours handle people’s personal data.
We know that:
the regulation gives people much stronger rights over their data
we’ll have to be more transparent about how we use people’s data, and
we’ll have a duty to demonstrate how we’re complying with the regulation overall.
To do that, we’ll need to:
review our policies and procedures
establish our legal basis for using people’s data, and
think about whether we need to appoint a data protection officer to do all the work for us.