GDPR Demystified
5 likes1,332 views
This document provides an introduction to the General Data Protection Regulation (GDPR). It begins by defining GDPR and explaining why it is important. It describes the evolution of GDPR from earlier data protection directives and regulations. It then defines several key terms related to GDPR, such as personal data, sensitive data, processing, pseudonymisation, and anonymisation. It outlines the structure of GDPR including its 11 chapters and 99 articles. It also describes various roles defined in GDPR such as controller, processor, data protection officer, and supervisory authority. Finally, it summarizes the six key GDPR principles and six lawful bases for processing personal data.
More Related Content
What's hot (20)
Similar to GDPR Demystified (20)
![ABM Display Advertising Success in the World of GDPR [PPT]](https://cdn.slidesharecdn.com/ss_thumbnails/gdpr-webinar-slides-final1-180126152808-thumbnail.jpg?width=560&fit=bounds)
More from SPIN Chennai (20)
Recently uploaded (20)
GDPR Demystified
- 1. INTRODUCTION TO GDPR Attempt to Demystify GDPR © Ramkumar Ramachandran – No part of this publication can be copied or stored in any form. Please obtain prior approval before use; write to [email protected]
- 2. GDPR INTRODUCTION What is GDPR? Why is it important? Evolution of GDPR GDPR Terms Roles in GDPR GDPR Principles Lawful Purposes in GDPR
- 3. 7/28/2018 3 MY IDENTITY • Ramkumar Ramachandran • Technology Startup – Tevel Cyber Corps • Director & CIO • ISMS, GDPR, Agile, DevOps, VA/PT, Cyber Forensics • Global experience in 10+ countries • Aeronautical Engineer / IIM-C Alumni / MIT Sloan Systems Thinking • CSQA, CISA, PMP, LA QMS/ISMS/SMS • IIIT-B Visiting Faculty • [email protected] © Ramkumar Ramachandran
- 5. WHERE IT ALL STARTED Data Privacy Act is not a very new one Privacy Act 1974 in US is the first one OECD countries created their own privacy laws and guidelines EU Directive on personal data 95/46 EC 1995 – First formal European adoption EU Data Protection Act came into effect in 1998 EU Data Protection Directive 1995 demands: - • Comprehensive protection of personal information • Clear restrictions of data transfer • Allows data transfer to third country subject to adequate level of protection Need for change in protection laws • Evolution of technology • Internet • Social Media There was need to be more explicit in terms used
- 6. WHAT IS GDPR? • The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation • By which the European Parliament, the Council of the European Union and the European Commission • Intended to strengthen and unify data protection for all individuals within the European Union (EU) • Applies to all member states of EU • Applies to all organization processing the data of EU data subjects – wherever the organization is geographically based • Data Protection Act 1998 upgraded to GDPR • Will supersede national laws • Is meant to unify data protection and ease flow of personal data • All organizations processing PII of EU residents must comply First proposed in January 2012 Formally approved in April 2016 Came into force from May 2018
- 7. WHY IS GDPR A “REGULATION”? It’s important to understand few legal terms: - Data Protection Directive Vs. General Data Protection Regulation • DIRECTIVE – Is a law that must be elaborated and ratified as law by each member state • REGULATION – Is a law and need not be elaborated and ratified by each member state So GDPR became legally binding law from 25th May 2018 onwards Directive was active at a time technology was not so advanced with Social Media, Mobile, Cloud and more GDPR addresses Data Privacy in a Technology Age
- 8. WHICH DATA SUBJECTS IS COVERED UNDER GDPR? European Union EU Citizens Non EU EU Citizens Non-EU Citizens COVERED NOT COVERED
- 9. DEFINITION OF GDPR GDPR is a set of rules governing how the personal data of individuals is processed and is applicable to customers, employees, and supplier personnel who are residing in European Union This applies to ‘Natural Persons’ meaning ‘individual human beings’ as opposed to ‘legal entity’ which could mean companies
- 10. 10 DATA SUBJECTS RIGHTS 1. Right to information - Right to ask what personal data of theirs is processed and with whom it is shared 2. Right to access - Right to access their own data as well as request copies of the same 3. Right to rectification - Right to request for change to their data if it not accurate 4. Right to withdraw consent - Right to withdraw the previously given consent, so that company does not process their data anymore 5. Right to object - Right to object when his/her data is processed in variance to committed purposes. This is similar to ‘Withdraw Consent’ 6. Right to object to automated processing - Right to demand only manual processing to understand the uniqueness of the data subject 7. Right to be forgotten - Right to request for deletion of their data. To be in conjunction with retention period and retention schedule in-line with applicable laws 8. Right for data portability - Right to return the data or transfer it to another controller
- 11. TERMS – PERSONAL DATA • Data that can be used to identify a living person • This could be direct or in-direct identification • Examples: - • Photos • IP Addresses • CCTV Images • Email Ids • Social Media Profiles
- 12. TERMS – SENSITIVE DATA • Data that would be damaging, when revealed • Examples: - • Race • Biometric Details • Political Association • Criminal History • Sexual Orientation • Religion
- 13. TERMS – PROCESSING • Processing could pertain any operations performed on personal data • This could be: - • Collecting • Storing • Using • Sending • Deleting • Collection includes ‘recording’ • Using includes Retrieval, Usage, Modification, combining or linking of data
- 14. TERMS – PSEUDONYMISATION • It is the mechanism of replacing the personal data with an identifier that makes it difficult to identify the individual • Examples: - • Customer Id • Student Exam Id • Role / Designation of an Employee • While it is difficult, it is not impossible to trace the actual personal data. Thereby GDPR treats pseudonymised data also as Personal Data
- 15. TERMS – ANONYMISATION • It is the mechanism of replacing the personal data with an identifier using multiple conditions thereby it is not re-creatable to the original form • Anonymised data can never be identified towards its original form • Some of the data where Anonymisation is done are: - • Social Security Number • Bank Account Details • Credit Card Numbers • Telephone Numbers • Postal Addresses Some Methods of Anonymisation: - • Directory Replacement • Scrambling • Masking • Blurring
- 16. GDPR STRUCTURE – 11 CHAPTERS AND 99 ARTICLES Chapter 1 – General Provisions (Art. 1- 4) Chapter 2 – Principles (Art. 5 -11) Chapter 3 – Rights of the data subject (Art. 12 – 23) Chapter 4 – Controller and Processor (Art. 24– 43) Chapter 5 – Transfer of Personal data to 3rd countries or international organizations (Art. 44 – 50) Chapter 6 – Independent supervisory authority ( Art. 51 – 59) Chapter 7 – Cooperation and consistency (Art. 60 – 76) Chapter 8 – Remedies, liability and penalties (Art. 77 – 84) Chapter 9 – Provisions relating to specific processing situations (Art. 85 – 91) Chapter 10 – Delegated acts and implementing acts ( Art. 92 – 93) Chapter 11 – Final Provisions (Art. 94 – 99)
- 17. ROLES – CONTROLLER • Refers to a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data • Examples: - • Organizations • Professional Bodies • Non-Profit Entities • Government Agencies • Data Controllers can be jointly responsible across entities • Accountable for GDPR compliance • Upholds Data Subjects’ rights
- 18. ROLES – PROCESSORS • A natural person or legal entity that processes personal data on behalf of Data Controller • Controller and Processor can be the same • Example: Organization’s processing their own employee data • When it is a Third Party, must comply with Data Processing Agreement
- 19. ROLES – DATA PROTECTION OFFICER • Data Protection Officer (DPO) is a leadership position required by EU GDPR in companies that processes personal data of EU Citizens • This need not be a single dedicated person for this role • DPO is expected to oversee the Data Protection approach, strategy and execution • Appointment of DPO is decided based on the sensitivity of data processed and not based on the volume. Ex. Healthcare analytics organization may need a DPO but enterprises that only process their employee data need not have a DPO • DPO is responsible for GDPR compliance of the organization
- 20. ROLES – SUPERVISORY AUTHORITY EU EU country Supervisory Authority EU country Supervisory Authority • Each EU country has formed a governing body to monitor the compliance towards GDPR • This entity is called as Supervisory Authority • This body is typically is a Information Commission, a data protection authority or an equivalent entity • In UK it is the Information Commission Office (ICO)
- 21. ROLES – LEAD SUPERVISORY AUTHORITY • Data Controllers spread across geographies could be termed as ‘Joint Data Controllers’ • Since each EU country could have a ‘Supervisory Authority’ they can appoint one of them as ‘Lead Supervisory Authority’ • All the events pertaining to Data Privacy will be reported to this Lead Supervisory Authority • Ex. Data Breaches, Data Protection Officer appointments etc. • When a Data Subject lodges a complaint with a Supervisory Authority, they may not be the Lead Supervisory Authority. • In such case, the Supervisory Authority, without any delay, is expected to intimate the same to Lead Supervisory Authority • Then Lead Supervisory Authority may decide as to who should handle this complaint
- 22. ROLES – LEAD SUPERVISORY AUTHORITY EU Country 1 Supervisory Authority Joint Data Controller Joint Data Controller Lead Supervisory Authority EU Country 2 EU Country 3 Supervisory Authority Joint Data Controller Country Governmental Body Organization
- 23. DATA PROCESSING LOCATIONS 23 Controller & Processor Inside EU Processor – Inside EU Processor – Outside EU Supervisory Authorities
- 24. LIABILITY & PENALTIES – FOR LESS IMPORTANT BREACHES Article 83: General conditions for imposing administrative fines. ϵ 10,000,000 or, in case of an undertaking, 2% total worldwide annual turnover in the preceding financial year (whichever is higher). Infringements in the following provisions: - • The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; • The obligations of the certification body pursuant to Articles 42 and 43; • The obligations of the monitoring body pursuant to Article 41(4)
- 25. LIABILITY & PENALTIES – FOR MORE IMPORTANT BREACHES Article 83: General conditions for imposing administrative fines. ϵ 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year (whichever is higher) . Infringements in the following provisions: - • The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; • The data subjects’ rights pursuant to Articles 12 to 22; • The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; • Any obligations pursuant to Member State law adopted under Chapter IX; • Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)
- 26. HOW IS LIABILITY DECIDED? Following are the considerations done before a penalty is decided: - • The nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; • The intentional or negligent character of the infringement; • Any action taken by the controller or processor to mitigate the damage suffered by data subjects; • The degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them pursuant to Articles 25 and 32; • Any relevant previous infringements by the controller or processor; • The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; 7/28/2018 26
- 27. HOW IS LIABILITY DECIDED? (CONTD.) Following are the considerations done before a penalty is decided: - • The categories of personal data affected by the infringement; • The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; • Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; • Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and • Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. 7/28/2018 27
- 28. GDPR PRINCIPLES – ARTICLE 5 OF GDPR
- 29. GDPR PRINCIPLES Rule # 1: Lawfulness, fairness, and transparency Personal data must be processed in lawful manner, fairly and transparently. It shall be maintained with respect to the data subject. • Should be legally valid • Used for the purpose stated to the data subject and • In a manner known to all relevant stakeholders
- 30. GDPR PRINCIPLES Rule # 2: Limitation of purpose Personal data must be collected for specific, explicit and legitimate purpose. Processing must be limited to the legitimate purpose only • Purpose of data collection should be up-front declared • Should be a legitimate purpose • Processing should be limited to the defined legitimate purpose
- 31. GDPR PRINCIPLES Rule # 3: Data Minimisation Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed • Only pertinent data shall be collected • Any personal data that does not serve the purpose should not be collected • Ex. A ticket booking site should not ask about Traveler’s salary
- 32. GDPR PRINCIPLES Rule # 4: Accuracy Personal data shall be accurate and, where necessary, kept up to date • Personal data shall be updated to keep it accurate • Data Subjects shall be allowed to update their details to ensure that it is current
- 33. GDPR PRINCIPLES Rule # 5: Storage Limitation Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes • Retention period of the data should be declared and adhered to • Personal data should not be retained beyond the stated period • Ex. Personal data collected during Ticket Booking for Cricket Match should be discarded upon completion of the match or as stated to the Data Subjects
- 34. GDPR PRINCIPLES Rule # 6: Integrity and Confidentiality Personal data shall be processed in a way that ensures security, including protection against un- authorized and un-lawful processing, damage or loss • Safety of the personal data collected has to be ensured • Personal Data breaches should foreseen and steps taken accordingly to mitigate the same • Any un-authorized or un-lawful processing of personal data should not be allowed
- 35. SIX LAWFUL WAYS OF DATA PROCESSING Image Courtesy: https://www.i-scoop.eu/gdpr/legal-grounds-lawful-processing-personal-data/
- 36. LAWFUL PURPOSE # 1 Performance of Contractual Agreement • You can rely on this lawful basis if you need to process someone’s personal data: • To fulfil your contractual obligations to them; or • Because they have asked you to do something before entering into a contract (eg provide a quote). • The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply. • You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning. • Ex. A car insurance quote can be given by Service Provider only after getting certain basic details
- 37. LAWFUL PURPOSE # 2 Legal Obligation • You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation. • This does not apply to contractual obligations. • The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply. • You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning. • You should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation. • Ex. An employer needs to process personal data to comply with its legal obligation to disclose employee salary details to HMRC (Income Tax). The employer can point to the HMRC website where the requirements are set out to demonstrate this obligation. In this situation it is not necessary to cite each specific piece of legislation.
- 38. LAWFUL PURPOSE # 3 Vital Interests • You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life. • The processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply. • You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, or even if they refuse their consent. • You should consider whether you are likely to rely on this basis, and if so document the circumstances where it will be relevant and ensure you can justify your reasoning. • Ex: An individual is admitted to the A & E department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect his/her vital interests
- 39. LAWFUL PURPOSE # 4 Public Interest • You can rely on this lawful basis if you need to process personal data: • ‘In the exercise of official authority’. This covers public functions and powers that are set out in law; OR • To perform a specific task in the public interest that is set out in law • It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest • You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law • The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply • Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis • Ex. Government body collecting census data to provide various welfare measures fall under this category
- 40. LAWFUL PURPOSE # 5 Legitimate Interest • Legitimate interests is the most flexible lawful basis for processing • It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. • If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. • Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority • Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required. • Ex. Processing of personal data to produce sales reports for management is a basic activity that a company must perform for running the company effectively
- 41. LAWFUL PURPOSE # 6 Consent • The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis. • Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation. • Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard. • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. • Explicit consent requires a very clear and specific statement of consent. • Keep your consent requests separate from other terms and conditions
- 42. LAWFUL PURPOSE # 6 (CONTD.) Consent (contd.) • Name any third party controllers who will rely on the consent • Make it easy for people to withdraw consent and tell them how • Keep evidence of consent – who, when, how, and what you told people • Consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include: • The name of your organization; • The name of any third party controllers who will rely on the consent; • Why you want the data; • What you will do with it; and • That individuals can withdraw consent at any time Interactive Guidance Tool from ICO UK for deciding on legitimate data processing https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr- resources/lawful-basis-interactive-guidance-tool/
- 43. MYTHS OF GDPR • GDPR is only applicable in EU • It applies any organization that processes the personal data of EU residents • Consent is the only way to get data subject concurrence to process their data • There are six legitimate ways that GDPR defines under GDPR Principles • All Organizations need Data Protection Officer • DPO is needed only if the organization is public and engages large scale sensitive data • My backoffice services do not download customer data • Even ‘viewing’ of data is considered as ‘processing’ of personal data • I have ISO 27001 certification, so I comply to GDPR • Sorry, you are only right to a certain extent. GDPR is bit more than that
- 44. WHICH INDUSTRIES WILL BE IMPACTED? • Industries that provide services to individual customers – as Controllers • Ex. Financial Services, Retailers etc. • Industries providing backoffice support services – as Processors • Ex. Marketing support, BPO etc. • Professional Bodies – as Controllers • Ex. Clubs, Professional Associations etc. • NGO, Charity Organizations, Non-Profit Organizations – as Controllers
- 45. 45 MANDATORY GDPR DOCUMENTS Personal Data Protection Policy Privacy Notice Data Retention Policy Data Retention Schedule Inventory of Processing Activities Data Protection Impact Assessment (DPIA) Register Data Breach Notification Procedure Data Breach Register Parental Consent Withdrawal Form Data Subject Consent Form Data Subject Consent Withdrawal Form Parental Consent Form Data Protection Officer – Job Description Data Breach Notification to the Supervisory Authority Data Breach Notification to the Data Subjects Standard Contractual Clauses for the Transfer of Personal data to Controllers Standard Contractual Clauses for the Transfer of Personal data to Processors General: For Data Controllers Standard Contractual Clauses for the Transfer of Personal data to Processors Data Breach Notification to Data Controllers For Data Processors
- 46. © Ramkumar Ramachandran – No part of this publication can be copied or stored. ROLLOUT STEPS – GDPR IMPLEMENTATION 1) Define the scope 2) Define the Privacy Policy 3) Publish the Privacy Notice 4) Create Inventory of Processing Activities & Retention 5) Communicate and Create Awareness 6) Conduct Information Audit 7) Conduct Privacy Impact Assessment 8) Establish the rights to process personal data 9) Plan for Consent 10) Decide on Children Consent 11) Define the Responsibilities of DPO, Controller and Processor 12) Mechanisms to handle Suppliers who are Data Processors 13) Decide on Cloud Considerations 14) Decide on how to react during data breaches 15) Ensuring Security by Design 16) How do you handle data sent outside EU 17) Understanding clearly the Data Subject Rights 18) Handling Subject Access Requests
- 47. END OF SECTION © Ramkumar Ramachandran – No part of this publication can be copied or stored in any form. Please obtain prior approval before use; write to [email protected]