The document provides an overview of key aspects of the General Data Protection Regulation (GDPR). It defines important terms, outlines citizens' rights, and discusses the three main pillars of GDPR: informing and obtaining consent, responsibility, and accountability. It also examines requirements around data protection officers, impact assessments, fines for noncompliance, and the top 10 operational impacts of GDPR implementation, such as data security, consent, cross-border transfers, and vendor management. The presentation aims to help organizations understand and comply with GDPR.
13. CITIZEN’S RIGHTS
13
Key Points
CLEARER RIGHT TO
ERASURE (RIGHT TO
BE FORGOTTEN)
RIGHT TO KNOW
WHEN THEIR DATA
HAS BEEN HACKED
EASIER ACCESS TO
THEIR DATA
A NEWRIGHT TO
DATA PORTABILITY
14. GDPR
14
3 MAIN PILLARS
Interesting to know
GDPR is active for everyone who
processes personal data. GDPR does
not make a difference between B2C or
B2B.
3
1
2
INFORM & CONSENT
RESPONSIBILITY
ACCOUNTABILITY
RIGHTS OF THE
DATA SUBJECT
15.
16. DO I NEED A DPO ?
16
The myth of the Data Protection Officer.
Public Sector
Are you a governmental body, public
authority or institution?
* Except for courts.
Large Scale Monitoring
Are you performing large scale
observations or systematic
monitoring of data subjects on a
large scale?
Numbers
5000 data subjects
250 employees
? ? ? ? ?
Special Data
Do you process mainly
sensitive personal data?
17. DO I NEED A DPIA ?
17
Data Protection Impact Assessment
Question is as simple as “Do I need insurance?”
SMEs and independent contractors will probably
not need a full blown data protection audit, but it
won’t hurt to document your existing workflows.
Needless to say, clients with GDPR compliance
obligations will demand the same effort from your
organisation, since their own compliance depends
on the totality of their subcontractors. So yes,
you’re probably involved, and it will be key to be
proactive in this process.
18. ADMINISTRATIVE FINES
18
€10M / 2%
€20M / 4%
➡ For infringements of the obligations of the controller (Articles 8, 11, 25 to 39, 42 and 43)
➡ For infringements of the obligations of the certification body (Articles 42 and 43)
➡ For infringements of the obligations of the monitoring body (Article 41)
➡ For infringements of the basic principles for processing, including conditions for consent (Articles 5, 6, 7 and 9)
➡ For infringements of the data subjects’ rights (Aricles 12 to 22)
➡ For infringements of the transfers of personal data to a recipient in a third country or an international
organisation (Articles 44 to 49)
➡ For infringements of any obligations to Member State law
➡ For infringements of non-compliance with an order or a temporary or definitive limitation on processing or the
suspension of data flows by the supervisory authority or failure to provide access (Article 58)
22. OPERATIONAL IMPACTS
22
Top 10
1 DATA SECURITY AND
BREACH NOTIFICATION
3CONSENT
5 PROFILING
7VENDOR MANAGEMENT
2 THE MANDATORY DPO
4CROSS-BORDER
DATA TRANSFERS
6 RTBF AND DATA PORTABILITY
8PSEUDONYMISATION
9 CONDES OF CONDUCT
AND CERTIFICATIONS 10 CONSEQUENCES FOR
GDPR VIOLATIONS
23. 1 Data Security and Breach Notification
23
Top 10 Operational Impacts
The GDPR separates responsibilities and duties of
data controllers and processors, obligating
controllers to engage only those processors that
provide “sufficient guarantees to implement
appropriate technical and organisational measures”,
including:
Pseudonymisation and encryption
Ensure continuous confidentiality, integrity,
availability and resilience of processing systems
and services.
Restoring access to personal data in a timely
manner in the event of a physical or technical
incident.
An embedded process for testing, assessing and
evaluating the effectiveness of technical and
organisational measures for ensuring security.
In the event of a data breach, data controllers must
notify the supervisory authority without undue
delay, and where feasible not later than 72 hours
after becoming aware of the breach / incident.
After that, controller must provide reasoned
justification dor any delays.
24.
25. 2 The mandatory DPO
25
Top 10 Operational Impacts
Data controllers and processors must appoint a
DPO on “regular and systematic monitoring of data
subjects on a large scale” or “large-scale processing
of special categories of personal data”.
Article 37 does not state precise credentials, but
requires DPOs to have “expert knowledge of data
protection law and practices”. Tasks include:
Monitoring compliance, including managing
internal data protection activities, training data
processing staff, and conducting internal audits.
Informing and advising controller and processor.
Advising on DPIA when required (Article 35).
Working and cooperating with the supervisory
authority, serving as SPOC.
Being available for inquiries from data subjects
on issues relating to data protection practices,
consent withdrawal, the right to be forgotten, ….
These responsibilities mirror those of privacy
professionals globally.
26. 3 Consent
26
Top 10 Operational Impacts
The definition of consent is significantly restricted.
GDPR requires the data subject to signal
agreement by “a statement or a clear affirmative
action.” In addition, GDPR introduces restrictions on
the ability of children to consent without parental
authorization. Consent must be “freely given,
specific, informed and unambiguous”.
An affirmative action of consent may include ticking
a box, “choosing technical settings for information
society services,” or “another statement or
conduct” that clearly indicates consent to the data
processing. “Silence, pre-ticked boxes or inactivity,”
however, is presumed inadequate.
Article 7 gives data subjects the right to
withdraw consent at any time, and “it shall be
as easy to withdraw consent as to give it.”
Consent is not freely given if there is “a clear
imbalance between the data subject and the
controller, in particular where the controller is a
public authority.
Consent must be specific to each purpose.
27.
28. LAWFULLNESS OF PROCESSING
28
Art. 6
a. CONSENT
b. CONTRACTUAL
c. LEGAL OBLIGATION
d. VITAL INTERESTS
e. PUBLIC TASK
f. LEGITIMATE INTEREST
29. 4 Cross-Border Data Transfers
29
Top 10 Operational Impacts
GDPR allows for data transfers to countries whose
legal regime is deemed by the EC to provide for an
“adequate” level of personal data protection.
In the absence of an adequacy decision, transfers
are also allowed outside non-EU states by use of
standard contractual clauses or Binding Corporate
Rules (BCRs). Standard contractual clauses, which
before GDPR required prior notice to and approval
by DPAs, may now be used without prior approval.
Article 42 allows transfers based on certifications,
provided that binding and enforceable commit-
ments are made to apply appropriate safeguards*.
GDPR also makes it clear that it is not lawful to
transfer personal data out of the EU in response to
a legal requirement from a third country.
* Codes of Conduct, Certification mechanisms, BCRs and
standard contractual clauses.
30. 5 Profiling
30
Top 10 Operational Impacts
GDPR restricts automated data processing, and
gives data subjects significant rights to avoid
profiling-based decisions. Some (notice, access)
require procedures similar to non-profiling data
processing, others will require specific processes
for compliance (object, restrict, profiling, …).
Data subjects have a right not necessarily to avoid
profiling itself, but rather to avoid being “subject to
a decision based solely on automated processing.”
For decisions made based on a contract or consent,
controller must still allow data subject to object.
In case of profiling decisions, controller must inform
a data subject at the time data is collected not only
that profiling will occur, but also the logic involved,
and the consequences of such processing.
Even when profiling is lawful, a data subject always
has the right to object (unless legitimate reason).
Profiling also triggers a DPIA.
35. 6 RTBF and Data Portability
35
Top 10 Operational Impacts
RTBF allows individuals to request the deletion of
personal data, and, where the controller has
publicised the data, to require other controllers to
also comply with the request.
Where a data subject requests the erasure of data
that has been made public, the controller must take
“reasonable steps” to inform other controllers
about the objection, unless it would require
“disproportionate effort.” Any controller processing
the data must then erase copies of it or links to it.
Data portability requires controllers to provide
personal data to the data subject in a commonly
used format and to transfer that data to another
controller if the data subject so requests.
The right to data portability applies only when
processing based on the user’s consent or on a
contract. It does not apply to processing based on
public interest or legitimate reason.
These rights create a need to implement systems
responsive to user requests concerning their data.
36.
37. 7 Vendor Management
37
Top 10 Operational Impacts
GDPR expands significantly upon the controller’s
responsibility for processing activities and sets out
specific rules for allocating responsibility between
the controller and processor. The burden for data
protection still rests primarily with controllers.
The controller decides on the processing activities,
regardless of whether it actually carries out any
processing operations. Controllers must implement
appropriate technical and organisational measures
not only to ensure compliance, but also to be able
to demonstrate their security measures.
Controllers are liable for the actions of the
processors they select. Controllers must only use
processors that provide sufficient guarantees of
their abilities to meet the GDPR requirements.
The controller should also consider carrying out a
DPIA prior to selecting a processor.
When non-compliance is established, the burden
shifts to controllers and processors to prove they
are not responsible for the damage in any way.
38.
39. 8 Pseudonymisation
39
Top 10 Operational Impacts
GDPR does not apply to data that “does not relate
to an identified or identifiable natural person or to
data rendered anonymous in such a way that the
data subject is no longer identifiable.”
Pseudonymisation is the separation of data from
direct identifiers so linkage is not possible without
additional data held separately. Pseudonymisation
significantly reduces the risks associated with data
processing while maintaining the data’s utility, but
is by itself not sufficient to exempt data from the
scope of the GDPR.
Pseudonymisation facilitates the processing of data
beyond the original collection purposes.
Pseudonymisation is an important safeguard for
processing personal data for scientific, historical and
statistical purposes.
Peudonymisation is a central feature of data protection by
design.
Controllers can use pseudonymisation to help meet the
GDPR’s data security requirements.
Controllers do not need to provide access, rectification,
erasure or data portability if they can no longer identify
the data subject.
GDPR encourages controllers to adopt codes of conduct
that promote pseudonymisation.
40.
41. 9 Codes of Conduct and Certifications
41
Top 10 Operational Impacts
GDPR authorises associations or other bodies
representing controllers or processors” to draw up
codes of conduct or amend existing ones. Such
codes should address, among other things:
Fair and transparent processing.
The legitimate interests pursued by controllers
in specific contexts.
The collection of personal data.
The pseudonymisation of personal data.
The information provided to the public and to
data subjects.
The exercise of the rights of data subjects.
Information provided to and the protection of
children and the manner in which the parental
consent is to be obtained.
General data protection obligation of controllers,
including privacy design and security measures.
Notification of personal data breaches to
supervisory authorities and communication of
such personal data breaches to data subjects.
Policy on transfer of personal data to third
countries or international organisations.
Dispute resolution procedures
42. 10 Consequences for GDPR Violations
42
Top 10 Operational Impacts
The GDPR creates two tiers of maximum fines
depending on whether the controller or processor
committed any previous violations and the nature
of violation.
The higher fine threshold is four percent of an
undertaking’s worldwide annual turnover or 20
million euros, whichever is higher.
The lower fine threshold fine is two percent of an
undertaking’s worldwide annual turnover or 10
million euros, whichever is higher.
These amounts are the maximum, meaning
supervisory authorities are empowered to assess
lower but not higher fines.
GDPR authorises a DPA to issue a reprimand in
place of a fine in cases of a minor infringement
where the fine would constitute a disproportionate
burden on a natural person.
Member States are required to implement a
penalty system.
One-stop-shop principle for multiMS organisations.
43. OPERATIONAL IMPACTS
43
Top 10
1 DATA SECURITY AND
BREACH NOTIFICATION
3CONSENT
5 PROFILING
7VENDOR MANAGEMENT
2 THE MANDATORY DPO
4CROSS-BORDER
DATA TRANSFERS
6 RTBF AND DATA PORTABILITY
8PSEUDONYMISATION
9 CONDES OF CONDUCT
AND CERTIFICATIONS 10 CONSEQUENCES FOR
GDPR VIOLATIONS