GDPR Awareness - SPIN Chennai session 28-Jul-2018

1. INTRODUCTION TO GDPR
Attempt to Demystify GDPR
© Ramkumar Ramachandran – No part of this publication can be copied or stored in any form. Please obtain prior approval before use; write to ram@tevelcyber.com

2. GDPR INTRODUCTION
What is GDPR?
Why is it important?
Evolution of GDPR
GDPR Terms
Roles in GDPR
GDPR Principles
Lawful Purposes in GDPR

3. 7/28/2018 3
MY IDENTITY
• Ramkumar Ramachandran
• Technology Startup – Tevel Cyber Corps
• Director & CIO
• ISMS, GDPR, Agile, DevOps, VA/PT, Cyber Forensics
• Global experience in 10+ countries
• Aeronautical Engineer / IIM-C Alumni / MIT Sloan Systems Thinking
• CSQA, CISA, PMP, LA QMS/ISMS/SMS
• IIIT-B Visiting Faculty
• ram@tevelcyber.com
© Ramkumar Ramachandran

4. WHAT IS GDPR?

5. WHERE IT ALL STARTED
Data Privacy
Act is not a
very new
one Privacy Act
1974 in US
is the first
one
OECD countries
created their
own privacy
laws and
guidelines
EU Directive on
personal data
95/46 EC 1995
– First formal
European
adoption
EU Data
Protection Act
came into
effect in 1998
EU Data Protection Directive 1995
demands: -
• Comprehensive protection of
personal information
• Clear restrictions of data transfer
• Allows data transfer to third
country subject to adequate level
of protection
Need for change in
protection laws
• Evolution of technology
• Internet
• Social Media
There was need to be
more explicit in terms
used

6. WHAT IS GDPR?
• The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation
• By which the European Parliament, the Council of the European Union and the European Commission
• Intended to strengthen and unify data protection for all individuals within the European Union (EU)
• Applies to all member states of EU
• Applies to all organization processing the data of EU data subjects – wherever the organization is geographically
based
• Data Protection Act 1998 upgraded to GDPR
• Will supersede national laws
• Is meant to unify data protection and ease flow of personal data
• All organizations processing PII of EU residents must comply
First
proposed in
January 2012
Formally
approved in
April 2016
Came into
force from
May 2018

7. WHY IS GDPR A “REGULATION”?
It’s important to understand few legal terms: -
Data Protection Directive Vs. General Data Protection Regulation
• DIRECTIVE – Is a law that must be elaborated and ratified as law by each member state
• REGULATION – Is a law and need not be elaborated and ratified by each member state
So GDPR became legally binding law from 25th May 2018 onwards
Directive was active at a time technology was not so advanced with Social Media, Mobile, Cloud
and more
GDPR addresses Data Privacy in a Technology Age

8. WHICH DATA SUBJECTS IS COVERED UNDER GDPR?
European
Union
EU
Citizens
Non EU
EU
Citizens
Non-EU
Citizens
COVERED NOT
COVERED

9. DEFINITION OF GDPR
GDPR is a set of rules governing how the personal data of individuals is processed and is
applicable to customers, employees, and supplier personnel who are residing in
European Union
This applies to ‘Natural Persons’ meaning ‘individual human beings’ as opposed to ‘legal entity’ which could mean
companies

10. 10
DATA SUBJECTS RIGHTS
1. Right to information - Right to ask what personal data of theirs is processed and
with whom it is shared
2. Right to access - Right to access their own data as well as request copies of the
same
3. Right to rectification - Right to request for change to their data if it not accurate
4. Right to withdraw consent - Right to withdraw the previously given consent, so
that company does not process their data anymore
5. Right to object - Right to object when his/her data is processed in variance to
committed purposes. This is similar to ‘Withdraw Consent’
6. Right to object to automated processing - Right to demand only manual
processing to understand the uniqueness of the data subject
7. Right to be forgotten - Right to request for deletion of their data. To be in
conjunction with retention period and retention schedule in-line with applicable
laws
8. Right for data portability - Right to return the data or transfer it to another
controller

11. TERMS – PERSONAL DATA
• Data that can be used to identify a living person
• This could be direct or in-direct identification
• Examples: -
• Photos
• IP Addresses
• CCTV Images
• Email Ids
• Social Media Profiles

12. TERMS – SENSITIVE DATA
• Data that would be damaging, when revealed
• Examples: -
• Race
• Biometric Details
• Political Association
• Criminal History
• Sexual Orientation
• Religion

13. TERMS – PROCESSING
• Processing could pertain any operations performed on personal data
• This could be: -
• Collecting
• Storing
• Using
• Sending
• Deleting
• Collection includes ‘recording’
• Using includes Retrieval, Usage, Modification, combining or linking of data

14. TERMS – PSEUDONYMISATION
• It is the mechanism of replacing the personal data with an identifier that makes it difficult to
identify the individual
• Examples: -
• Customer Id
• Student Exam Id
• Role / Designation of an Employee
• While it is difficult, it is not impossible to trace the actual personal data. Thereby GDPR treats
pseudonymised data also as Personal Data

15. TERMS – ANONYMISATION
• It is the mechanism of replacing the personal data with an identifier using multiple conditions
thereby it is not re-creatable to the original form
• Anonymised data can never be identified towards its original form
• Some of the data where Anonymisation is done are: -
• Social Security Number
• Bank Account Details
• Credit Card Numbers
• Telephone Numbers
• Postal Addresses
Some Methods of Anonymisation: -
• Directory Replacement
• Scrambling
• Masking
• Blurring

16. GDPR STRUCTURE – 11 CHAPTERS AND 99 ARTICLES
Chapter 1 – General Provisions (Art. 1- 4)
Chapter 2 – Principles (Art. 5 -11)
Chapter 3 – Rights of the data subject (Art. 12 – 23)
Chapter 4 – Controller and Processor (Art. 24– 43)
Chapter 5 – Transfer of Personal data to 3rd countries or international organizations (Art. 44 – 50)
Chapter 6 – Independent supervisory authority ( Art. 51 – 59)
Chapter 7 – Cooperation and consistency (Art. 60 – 76)
Chapter 8 – Remedies, liability and penalties (Art. 77 – 84)
Chapter 9 – Provisions relating to specific processing situations (Art. 85 – 91)
Chapter 10 – Delegated acts and implementing acts ( Art. 92 – 93)
Chapter 11 – Final Provisions (Art. 94 – 99)

17. ROLES – CONTROLLER
• Refers to a natural or legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of personal data
• Examples: -
• Organizations
• Professional Bodies
• Non-Profit Entities
• Government Agencies
• Data Controllers can be jointly responsible across entities
• Accountable for GDPR compliance
• Upholds Data Subjects’ rights

18. ROLES – PROCESSORS
• A natural person or legal entity that processes personal data on behalf of Data
Controller
• Controller and Processor can be the same
• Example: Organization’s processing their own employee data
• When it is a Third Party, must comply with Data Processing Agreement

19. ROLES – DATA PROTECTION OFFICER
• Data Protection Officer (DPO) is a leadership position required by EU GDPR in companies that
processes personal data of EU Citizens
• This need not be a single dedicated person for this role
• DPO is expected to oversee the Data Protection approach, strategy and execution
• Appointment of DPO is decided based on the sensitivity of data processed and not based on
the volume. Ex. Healthcare analytics organization may need a DPO but enterprises that only
process their employee data need not have a DPO
• DPO is responsible for GDPR compliance of the organization

20. ROLES – SUPERVISORY AUTHORITY
EU
EU country
Supervisory
Authority
EU country
Supervisory
Authority
• Each EU country has formed a governing body to
monitor the compliance towards GDPR
• This entity is called as Supervisory Authority
• This body is typically is a Information Commission, a
data protection authority or an equivalent entity
• In UK it is the Information Commission Office (ICO)

21. ROLES – LEAD SUPERVISORY AUTHORITY
• Data Controllers spread across geographies could be termed as ‘Joint Data Controllers’
• Since each EU country could have a ‘Supervisory Authority’ they can appoint one of them as
‘Lead Supervisory Authority’
• All the events pertaining to Data Privacy will be reported to this Lead Supervisory Authority
• Ex. Data Breaches, Data Protection Officer appointments etc.
• When a Data Subject lodges a complaint with a Supervisory Authority, they may not be the
Lead Supervisory Authority.
• In such case, the Supervisory Authority, without any delay, is expected to intimate the same
to Lead Supervisory Authority
• Then Lead Supervisory Authority may decide as to who should handle this complaint

22. ROLES – LEAD SUPERVISORY AUTHORITY
EU Country 1
Supervisory
Authority
Joint Data
Controller
Joint Data
Controller
Lead
Supervisory
Authority
EU Country 2 EU Country 3
Supervisory
Authority
Joint Data
Controller
Country
Governmental Body
Organization

23. DATA PROCESSING LOCATIONS
23
Controller & Processor
Inside EU
Processor – Inside EU
Processor – Outside EU
Supervisory Authorities

24. LIABILITY & PENALTIES – FOR LESS IMPORTANT BREACHES
Article 83: General conditions for imposing administrative fines.
ϵ 10,000,000 or, in case of an undertaking, 2% total worldwide annual turnover in the preceding financial year
(whichever is higher). Infringements in the following provisions: -
• The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
• The obligations of the certification body pursuant to Articles 42 and 43;
• The obligations of the monitoring body pursuant to Article 41(4)

25. LIABILITY & PENALTIES – FOR MORE IMPORTANT BREACHES
Article 83: General conditions for imposing administrative fines.
ϵ 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial
year (whichever is higher) . Infringements in the following provisions: -
• The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
• The data subjects’ rights pursuant to Articles 12 to 22;
• The transfers of personal data to a recipient in a third country or an international organisation pursuant
to Articles 44 to 49;
• Any obligations pursuant to Member State law adopted under Chapter IX;
• Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of
data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation
of Article 58(1)

26. HOW IS LIABILITY DECIDED?
Following are the considerations done before a penalty is decided: -
• The nature, gravity and duration of the infringement taking into account the nature scope or purpose of the
processing concerned as well as the number of data subjects affected and the level of damage suffered by
them;
• The intentional or negligent character of the infringement;
• Any action taken by the controller or processor to mitigate the damage suffered by data subjects;
• The degree of responsibility of the controller or processor taking into account technical and organizational
measures implemented by them pursuant to Articles 25 and 32;
• Any relevant previous infringements by the controller or processor;
• The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate
the possible adverse effects of the infringement;
7/28/2018 26

27. HOW IS LIABILITY DECIDED? (CONTD.)
Following are the considerations done before a penalty is decided: -
• The categories of personal data affected by the infringement;
• The manner in which the infringement became known to the supervisory authority, in particular
whether, and if so to what extent, the controller or processor notified the infringement;
• Where measures referred to in Article 58(2) have previously been ordered against the controller or
processor concerned with regard to the same subject-matter, compliance with those measures;
• Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms
pursuant to Article 42; and
• Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial
benefits gained, or losses avoided, directly or indirectly, from the infringement.
7/28/2018 27

28. GDPR PRINCIPLES – ARTICLE 5 OF GDPR

29. GDPR PRINCIPLES
Rule # 1: Lawfulness, fairness, and transparency
Personal data must be processed in lawful manner, fairly and transparently. It shall be
maintained with respect to the data subject.
• Should be legally valid
• Used for the purpose stated to the data subject and
• In a manner known to all relevant stakeholders

30. GDPR PRINCIPLES
Rule # 2: Limitation of purpose
Personal data must be collected for specific, explicit and legitimate purpose. Processing must be
limited to the legitimate purpose only
• Purpose of data collection should be up-front declared
• Should be a legitimate purpose
• Processing should be limited to the defined legitimate purpose

31. GDPR PRINCIPLES
Rule # 3: Data Minimisation
Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed
• Only pertinent data shall be collected
• Any personal data that does not serve the purpose should not be collected
• Ex. A ticket booking site should not ask about Traveler’s salary

32. GDPR PRINCIPLES
Rule # 4: Accuracy
Personal data shall be accurate and, where necessary, kept up to date
• Personal data shall be updated to keep it accurate
• Data Subjects shall be allowed to update their details to ensure that it is
current

33. GDPR PRINCIPLES
Rule # 5: Storage Limitation
Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes
• Retention period of the data should be declared and adhered to
• Personal data should not be retained beyond the stated period
• Ex. Personal data collected during Ticket Booking for Cricket Match should be discarded upon
completion of the match or as stated to the Data Subjects

34. GDPR PRINCIPLES
Rule # 6: Integrity and Confidentiality
Personal data shall be processed in a way that ensures security, including protection against un-
authorized and un-lawful processing, damage or loss
• Safety of the personal data collected has to be ensured
• Personal Data breaches should foreseen and steps taken accordingly to mitigate the same
• Any un-authorized or un-lawful processing of personal data should not be allowed

35. SIX LAWFUL WAYS OF DATA PROCESSING
Image Courtesy: https://www.i-scoop.eu/gdpr/legal-grounds-lawful-processing-personal-data/

36. LAWFUL PURPOSE # 1
Performance of Contractual Agreement
• You can rely on this lawful basis if you need to process someone’s personal data:
• To fulfil your contractual obligations to them; or
• Because they have asked you to do something before entering into a contract (eg provide a quote).
• The processing must be necessary. If you could reasonably do what they want without processing their
personal data, this basis will not apply.
• You should document your decision to rely on this lawful basis and ensure that you can justify your
reasoning.
• Ex. A car insurance quote can be given by Service Provider only after getting certain basic details

37. LAWFUL PURPOSE # 2
Legal Obligation
• You can rely on this lawful basis if you need to process the personal data to comply with a common law or
statutory obligation.
• This does not apply to contractual obligations.
• The processing must be necessary. If you can reasonably comply without processing the personal data, this
basis does not apply.
• You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.
• You should be able to either identify the specific legal provision or an appropriate source of advice or guidance
that clearly sets out your obligation.
• Ex. An employer needs to process personal data to comply with its legal obligation to disclose employee salary
details to HMRC (Income Tax). The employer can point to the HMRC website where the requirements are set
out to demonstrate this obligation. In this situation it is not necessary to cite each specific piece of legislation.

38. LAWFUL PURPOSE # 3
Vital Interests
• You are likely to be able to rely on vital interests as your lawful basis if you need to process the
personal data to protect someone’s life.
• The processing must be necessary. If you can reasonably protect the person’s vital interests in
another less intrusive way, this basis will not apply.
• You cannot rely on vital interests for health data or other special category data if the individual is
capable of giving consent, or even if they refuse their consent.
• You should consider whether you are likely to rely on this basis, and if so document the
circumstances where it will be relevant and ensure you can justify your reasoning.
• Ex: An individual is admitted to the A & E department of a hospital with life-threatening injuries
following a serious road accident. The disclosure to the hospital of the individual’s medical history is
necessary in order to protect his/her vital interests

39. LAWFUL PURPOSE # 4
Public Interest
• You can rely on this lawful basis if you need to process personal data:
• ‘In the exercise of official authority’. This covers public functions and powers that are set out in law; OR
• To perform a specific task in the public interest that is set out in law
• It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or
carries out tasks in the public interest
• You do not need a specific statutory power to process personal data, but your underlying task, function or
power must have a clear basis in law
• The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less
intrusive way, this lawful basis does not apply
• Document your decision to rely on this basis to help you demonstrate compliance if required. You should be
able to specify the relevant task, function or power, and identify its statutory or common law basis
• Ex. Government body collecting census data to provide various welfare measures fall under this category

40. LAWFUL PURPOSE # 5
Legitimate Interest
• Legitimate interests is the most flexible lawful basis for processing
• It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which
have a minimal privacy impact, or where there is a compelling justification for the processing.
• If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and
protecting people’s rights and interests.
• Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than
performing their tasks as a public authority
• Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
• Ex. Processing of personal data to produce sales reports for management is a basic activity that a company
must perform for running the company effectively

41. LAWFUL PURPOSE # 6
Consent
• The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult,
look for a different lawful basis.
• Consent means offering individuals real choice and control. Genuine consent should put individuals
in charge, build trust and engagement, and enhance your reputation.
• Check your consent practices and your existing consents. Refresh your consents if they don’t meet
the GDPR standard.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default
consent.
• Explicit consent requires a very clear and specific statement of consent.
• Keep your consent requests separate from other terms and conditions

42. LAWFUL PURPOSE # 6 (CONTD.)
Consent (contd.)
• Name any third party controllers who will rely on the consent
• Make it easy for people to withdraw consent and tell them how
• Keep evidence of consent – who, when, how, and what you told people
• Consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:
• The name of your organization;
• The name of any third party controllers who will rely on the consent;
• Why you want the data;
• What you will do with it; and
• That individuals can withdraw consent at any time
Interactive Guidance Tool from ICO UK for deciding on legitimate
data processing
https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-
resources/lawful-basis-interactive-guidance-tool/

43. MYTHS OF GDPR
• GDPR is only applicable in EU
• It applies any organization that processes the personal data of EU residents
• Consent is the only way to get data subject concurrence to process their data
• There are six legitimate ways that GDPR defines under GDPR Principles
• All Organizations need Data Protection Officer
• DPO is needed only if the organization is public and engages large scale sensitive data
• My backoffice services do not download customer data
• Even ‘viewing’ of data is considered as ‘processing’ of personal data
• I have ISO 27001 certification, so I comply to GDPR
• Sorry, you are only right to a certain extent. GDPR is bit more than that

44. WHICH INDUSTRIES WILL BE IMPACTED?
• Industries that provide services to individual customers – as Controllers
• Ex. Financial Services, Retailers etc.
• Industries providing backoffice support services – as Processors
• Ex. Marketing support, BPO etc.
• Professional Bodies – as Controllers
• Ex. Clubs, Professional Associations etc.
• NGO, Charity Organizations, Non-Profit Organizations – as Controllers

45. 45
MANDATORY GDPR DOCUMENTS
 Personal Data Protection Policy
 Privacy Notice
 Data Retention Policy
 Data Retention Schedule
 Inventory of Processing Activities
 Data Protection Impact Assessment
(DPIA) Register
 Data Breach Notification Procedure
 Data Breach Register
 Parental Consent Withdrawal Form
 Data Subject Consent Form
 Data Subject Consent Withdrawal Form
 Parental Consent Form
 Data Protection Officer – Job
Description
 Data Breach Notification to the
Supervisory Authority
 Data Breach Notification to the Data
Subjects
 Standard Contractual Clauses for the
Transfer of Personal data to Controllers
 Standard Contractual Clauses for the
Transfer of Personal data to Processors
General: For Data Controllers
 Standard Contractual Clauses for the
Transfer of Personal data to
Processors
 Data Breach Notification to Data
Controllers
For Data Processors

46. © Ramkumar Ramachandran – No part of this publication can be copied or stored.
ROLLOUT STEPS – GDPR IMPLEMENTATION
1) Define the scope
2) Define the Privacy Policy
3) Publish the Privacy Notice
4) Create Inventory of Processing Activities & Retention
5) Communicate and Create Awareness
6) Conduct Information Audit
7) Conduct Privacy Impact Assessment
8) Establish the rights to process personal data
9) Plan for Consent
10) Decide on Children Consent
11) Define the Responsibilities of DPO, Controller and Processor
12) Mechanisms to handle Suppliers who are Data Processors
13) Decide on Cloud Considerations
14) Decide on how to react during data breaches
15) Ensuring Security by Design
16) How do you handle data sent outside EU
17) Understanding clearly the Data Subject Rights
18) Handling Subject Access Requests

47. END OF SECTION
© Ramkumar Ramachandran – No part of this publication can be copied or stored in any form. Please obtain prior approval before use; write to ram@tevelcyber.com