1. Data privacy & GDPR
Jacques Folon, Ph.D.
CEO GDPRfolder
External DPO
Professor
ICHEC
Visiting professor
ESC Rennes School of Business
Université Saint Louis
HE F.Ferrer
11. 4
By giving people the power to share, we're
making the world more transparent.
The question isn't, 'What do we want to
know about people?', It's, 'What do
people want to tell about themselves?'
Data privacy is outdated !
Mark Zuckerberg
If you have something that you don’t
want anyone to know, maybe you
shouldn’t be doing it in the first place.
Eric Schmidt
22. The person who took the photo
is a real friend
22
http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg
40. GDPR in
one slide
TER
R
ITO
R
IA
LSC
O
PE
Non-EUEstablishedO
rganizations
O
ffer goods or ser vices or engaging in
m
onitoring within the EU
.
PER
SO
NA
LD
A
TA SENSITIVED
A
TA
ENFO
R
C
EM
ENT
LA
W
FU
LPR
O
C
ESSING
C
O
NSENT
R
ESPO
NSIB
ILITIESO
FD
A
TAC
O
NTR
O
LLER
SA
NDPR
O
C
ESSO
R
S
R
IG
H
TSO
FD
A
TASU
B
JEC
TS
Transparency
Purpose
Specificationand
M
inim
ization
A
ccess and
R
ectification
A
utom
ated
D
ecision- M
aking
R
ightto D
ata
Portability
R
ightto
Erasure
D
A
TAB
R
EA
C
HNO
TIFIC
A
TIO
N
D
ataProtection
O
fficer (D
PO
)
D
ata
Protectionby
D
esign
INTER
NA
TIO
NA
LD
A
TATR
A
NSFER
D
ataIm
pact
A
ssessm
ent
R
ecordof D
ata
ProcessingA
ctivities
TH
EPLA
YER
S
D
ata
Subjects
D
ataC
ontrollers
D
ata
Processors
Supervisory
A
uthorities
Identified Identifiable
R
acial or
EthnicO
rigin
R
eligious or
Philosophical
B
eliefs
H
ealth
Trade U
nion
M
em
bership Sex
Life
Political
O
pinions
B
iom
etric
D
ata
G
enetic
D
ata
“R
ight not to be subject to a
decision basedsolely on
autom
atedprocessing,
including profiling.”
Apersonal databreachis “abr each of
security leading to the accidental or
unlawful destr uction,loss,alter ation,
unauthorized disclosure of,or access
to,personal datatransm
itted,storedor
otherwise processed.”
C
ollection and processing of per sonal datam
ust
be for “specified,explicit and legitim
ate purposes”
– withconsent of datasubject or necessar y for
C
onsent m
ust be freely
given,specific,
infor m
ed,and
unam
biguous.
M
odel
C
ontractual
C
lauses
Privacy
Shield
B
inding
C
orporate
R
ules
(B
C
R
s)
A
dequate Level of
D
ataProtection
If likely to result in ahighprivacy r isk notify datasubjects
Notify super visory authorities no later
than 72hour s after discovery.
U
pto 20 m
illion euros or 4%of total annual worldwide
turnover . Less serious violations: U
pto 10m
illion
euros or 2%of total annual worldwide turnover.
EUEstablishm
ents
M
aintain adocum
ented
r egister of all activities
involving processing of EU
per sonal data.
built in starting at
the beginning of the
design process
D
esignate D
POif core
activity involves r egular
m
onitoring or processing
large quantities of
per sonal data..
For highr isk
situations
www.teachpr iv acy.com
GDPR
W
orkforce aw
areness trainingbyProf.D
aniel J.Solove
• perform
ance of a contr act
• com
pliance with alegal
obligation
• to pr otect aperson’s
vital interests
• taskin the public
interest
• legitim
ate inter ests
Effective Judicial R
em
edies:
com
pensation for m
ater ial and
non-m
aterial harm
.
Fines
Security
Please askperm
issionto reuse or distribute
57. IN 3 WORDS
57
• GDPR IS A "REGULATION" ><
"DIRECTIVE"
• WORLDWIDE INFLUENCE
• CONSEQUENCES FOR COMPANIES
AND PUBLIC SECTOR
58. 58
MAY 2018
ENTRY INTO FORCE MAY
25,2018
DISCUSSED SINCE 2014
VOTED IN 2016
RISKS
PENALTIES
4% ANNUAL TO
20 M €
COMPENSATION IN COURT
REPUTATION
IMPACT
CONTRACT
PROCESSES
MARKETING
ORGANISATION
60. PERSONAL DATA
60
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference
to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;
61. PROCESSING
61
‘processing’ means any operation or set of operations
which is performed on personal data or on sets of personal data,
whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination
or otherwise making
available, alignment or combination, restriction, erasure or destruction;
62. CONTROLLER
62
controller’ means the natural or legal person, public authority, agency or
other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data;
where the purposes and means of such processing are determined
by Union or Member State law, the controller or the specific
criteria for its nomination may be provided for
by Union or Member State law;
63. processor or sub-contractor
63
processor means a natural or legal person,
public authority, agency or
other body which processes
personal data
on behalf of the controller
64. 64
The carrying out of processing by way of a processor
must be governed by a contract or legal act binding
the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations as defined by the law of the Member State
in which the processor is established, shall also be incumbent
on the processor
65. data breach
65
personal data breach’ means a breach of
security leading to the accidental or
unlawful destruction, loss,
alteration, unauthorised disclosure of, or
access to, personal data transmitted,
stored or otherwise processed
66. C : 12 MAIN PRINCIPLES OF GDPR
66
1. Accountability
2. Consumer / citizen rights
3. Privacy by design
4. Information security
5. Data breach
6. Penalties
7. identity access management
8. lawfulness for processing
9. Register
10.Risk analysis and PIA
11.Training
12.Data privacy officer
72. 2/ Consumer/citizen's right
72
TRANSPARENCY
SENSITIVE INFORMATIONS
INFORMATION COLLECTED
RIGHT OF ACCESS
RIGHT TO RECTIFICATION
RIGHT TO ERASE
RIGHT OF PROCESSING LIMITATION
PORTABILITY
RIGHT OF OPPOSITION TO PROFILING
101. Where do one steal
data?
•Banks
•Hospitals
•Ministries
•Police
•Newspapers
•Telecoms
•...
Which devices are
stolen?
•USB
•Laptops
•Hard disks
•Papers
•Binders
•Cars
103. DATA PRIVACY & THE EMPLOYER
45
http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg
104. SO CALLED HIDDEN COSTS
46
http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/
126. 126
the data subject's consent'
shall mean any freely
given specific and informed
indication of his wishes
by which the data subject signifies
his agreement to personal
data
relating to him being processed
129. 129
Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes.
Further processing of data for historical, statistical or scientific
purposes shall not be considered as incompatible provided
that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or rectifie
(e) kept in a form which permits identification of data subjects for
no longer than is necessary for the purposes for which the data
were collected or for which they are further processed.
Member States shall lay down appropriate safeguards for personal
data stored for longer periods for historical, statistical or scientific use.
130. 130
Member States shall prohibit the processing of
personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of
data concerning health or sex life
143. METHODOLOGY
143
1. PRELIMINARY AUDIT
2. RISK ANALYSIS
3. LIST OF SERVICES
4. RECORD OF PROCESSING ACTIVITIES
5. ACTION PLAN
6. SERACH FOR COMPLIANCE
7. SOLUTION FOR NON COMPLIANCE
8. CONTINUOUS PROCESSES
9. TRAINING
Préparation
Implémentation
Pérennisation
147. RISKS
SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html
148. Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University
149. Social Media Spam
Compromised Facebook
account. Victim is now
promoting a shady
pharmaceutical
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
150. Social Media Phishing
To: T V V I T T E R.com
Now they will have
your username and
password
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
151. Social Media Malware
Clicking on the
links takes you
to sites that will
infect your
computer
with malware
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
155. 3rd Party Applications
•Games, quizzes, cutesie stuff
•Untested by Facebook – anyone
can write one
•No Terms and Conditions – you
either allow or you don’t
•Installation gives the developers
rights to look at your profile and
overrides your privacy settings!
Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University
162. 87
“It is not the strongest of the species that survives,
nor the most intelligent that survives.
It is the one that is the most adaptable to change.”
C. Darwin