GDPR Study Notes PDF

General Data Protection Regulation.
All data are not created Equal

1. What kind of data is being processed?
2. What category does it fall into?
3. In what format do you store the data?
4. How do you collect the data?
5. How do you share it internally and externally?
6. What locations are involved within the data flow?
7. Who is accountable for the personal data?
8. Who has access to the data?
The General Data Protection Regulation – is a legal act of the European Union
now enforceable in all Member States.
Its full title is “REGULATION (EU) 2016/679 OF THE EUROPEAN

PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
NATURAL PERSON with regard to processing of PERSONAL DATA and on the
free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation)”
Structure of the General Data Protection Regulation (GDPR)
• 11 Chapters
• 99 Articles
• 173 Recitals
What constitutes personal data?

The GDPR applies to ‘personal data’, meaning any information relating to an
identifiable person who can be directly or indirectly identified in particular by
reference to an identifier. This definition provides for a wide range of personal
identifiers to constitute personal data, including name, identification number,
location data or online identifier, reflecting changes in technology and the way
organisations collect information about people.
Article 9: Processing special categories of personal data –– Processing personal
data revealing race, political opinions, religion, philosophy, trade union membership,
genetic data, health, sex life, and sexual orientation is prohibited unless the subject
Page | 1
gives explicit consent, it’s necessary to carry out the obligations of the controller, it’s
necessary to protect the vital interests of the data subject, etc
“The process of creating this data map is fundamental to understanding an
organization’s current resources of personal information”
Data mapping process Essential for GDPR compliance + Significant Operational

benefit. Once business understands its data resources, it has the chance to determine
just how much of this information has value and the source of that value.
You Must Better Understand Your Data that you Collect and Held
before you try to comply with GDPR.
 What data is held?

 Where is it located?
 How many distinct categories?
 Who has access?
 What is it being used for”?
 What consent has been given?
Data Elements:
 Name
 Addresses
 Employment Information
 Medical records
 Customer addresses
 Membership records
 RFID tags
 IP Addresses
 Identifiers of a data subject
 ID numbers
 Location
 Physical
 Physiological
 Mental
 Economic
 Cultural
 Social
 Race Article 9
 Political opinions Article 9
 Religion Article 9
 Philosophy Article 9
 Trade union membership Article 9
 Genetic data Article 9
Page | 2
 Health Article 9
 Sex Life Article 9
 Sexual Orientation Article 9

necessary to protect the vital interests of the data subject, etc
“The process of creating this data map is fundamental to understanding an

organization’s current resources of personal information”
• Pseudonymization
• Encryption
• Appropriate level of security
Data mapping process Essential for GDPR compliance + Significant Operational

benefit. Once business understands its data resources, it has the chance to determine
What about Data Subjects under the age of 16?

Parental consent is required to process the personal data of children under the age of
16 for online services; member states may legislate for a lower age of consent but this
will not be below the age of 13.
Data Subject Rights
Breach Notification Under the GDPR, breach notifications are now mandatory in
all member states where a data breach is likely to “result in a risk for the rights and
freedoms of individuals”. This must be done within 72 hours of first having become
aware of the breach. Data processors are also required to notify their customers, the
controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access Part of the expanded rights of data subjects outlined by the GDPR
is the right for data subjects to obtain confirmation from the data controller as to whether
or not personal data concerning them is being processed, where and for what purpose.
Further, the controller shall provide a copy of the personal data, free of charge, in an
electronic format. This change is a dramatic shift to data transparency and
empowerment of data subjects.
Right to be Forgotten Also known as Data Erasure, the right to be forgotten entitles
the data subject to have the data controller erase his/her personal data, cease further
Page | 3
dissemination of the data, and potentially have third parties halt processing of the data.
The conditions for erasure, as outlined in article 17, include the data no longer being
relevant to original purposes for processing, or a data subject withdrawing consent. It
should also be noted that this right requires controllers to compare the subjects’ rights to
“the public interest in the availability of the data” when considering such requests.
Data Portability GDPR introduces data portability – the right for a data subject to
receive the personal data concerning them – which they have previously provided in a
‘commonly use and machine readable format’ and have the right to transmit that data to
another controller.
Privacy by Design Privacy by design as a concept has existed for years, but it
is only just becoming part of a legal requirement with the GDPR. At its core, privacy by
design calls for the inclusion of data protection from the onset of the designing of
systems, rather than an addition. More specifically, ‘The controller shall… implement
appropriate technical and organisational measures… in an effective way… in order to
meet the requirements of this Regulation and protect the rights of data subjects’. Article
23 calls for controllers to hold and process only the data absolutely necessary for the
completion of its duties (data minimisation), as well as limiting the access to personal
data to those needing to act out the processing.
Data Protection Officers Under GDPR it is not necessary to submit
notifications / registrations to each local DPA of data processing activities, nor is it a
requirement to notify / obtain approval for transfers based on the Model Contract
Clauses (MCCs). Instead, there are internal record keeping requirements, as further
explained below, and DPO appointment is mandatory only for those controllers and
processors whose core activities consist of processing operations which require regular
and systematic monitoring of data subjects on a large scale or of special categories of
data or data relating to criminal convictions and offences. Importantly, the Data
Protection Officer:
 Must be appointed on the basis of professional qualities and, in particular,
expert knowledge on data protection law and practices
 May be a staff member or an external service provider
 Contact details must be provided to the relevant DPA
 Must be provided with appropriate resources to carry out their tasks and
maintain their expert knowledge
 Must report directly to the highest level of management
 Must not carry out any other tasks that could results in a conflict of
interest.
Module 1: Setting the Strategy: An Organizational Commitment
A summary of the concepts behind GDPR, addresses why this is a business challenge
and not just a security problem and offers insights into identifying key stakeholders and
developing a strategy for gaining support and buy-in.
Learning Objectives:
Page | 4
At the end of the module you will be able to:
• Distinguish roles and responsibilities for GDPR compliance.

• Examine the specific role of security in GDPR implementation.
• Influence strategy, direction and implementation of GDPR.
• Build a plan that identifies key stakeholders and tactics for gaining support and
buy-in.
Settings the Strategy: An Organization Commitment

Introductions:
Phase 1: Develop
• Identify senior stakeholders and engage each business unit affect.
• Allocate adequate resources to support implementation
• Inventory and analyze personal data held across the organization.
• Verify procedures to insure they cover all rights EU individuals have under
GDPR.
• Review how consent is sought, obtained and recorded to determine if changes
are needed.
• Designate a DPO when processing involves specific data categories, personal
data processing is large scale, and if processing these special types of personal
data is core to your business.
1) Roles
2) Responsibilities
3) Role of security in GDPR compliance.
Understanding: Strategy – Direction – Implementation
GDPR Plan
General Data Protection Regulation (GDPR) : An Organizational Commitment

• Legal act now enforce in all Member States
• Compliance begins with high-level decisions
Primary Objectives of Module 1:
1) Become familiar with specific articles,
2) Identify articles that apply to your company,
3) Identify stakeholders who will make decisions.
General Data Protection Regulation (GDPR)
Page | 5
.The full title is “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL of 27 April 2016 on the protection of NATURAL PERSON with
regard to processing of PERSONAL DATA and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation)”
General Data Protection Regulation (GDPR) FACTS
2 Important things to know @ GDPR.
1) Does not include privacy or personally identifiable data
2) Is an extraterritorial regulation.
Personal data of EU citizens
• Collect
• Stores
• Processes
• Transmits
Structure of the General Data Protection Regulation (GDPR)

• 11 Chapters
• 99 Articles
• 173 Recitals
Chapter 1 GENERAL PROVISIONS
Chapter 2 PRINCIPLES
Chapter 3 RIGHTS OF THE DATA SUBJECT

Chapter 4 CONTROLLER AND PROCESSOR
Chapter 5 TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR

INTERNATIONAL ORGANISATIONS
Chapter 6 INDEPENDENT SUPERVISORY AUTHORITIES

Chapter 7 COOPERATION AND CONSISTENCY
Chapter 8 REMEDIES, LIABILITY AND PENALTIES
Chapter 9 PROVISIONS RELATING TO SPECIFIC PROCESSING SITUATIONS

Chapter 10 DELEGATED ACTS AND IMPLEMENTING ACTS
Chapter 11 FINAL PROVISIONS
Page | 6
CHAPTER 1 GENERAL PROVISIONS – This chapter discusses the aim of the
Regulation, the scope of the Regulation (where it applies and who it applies to), and
essential definitions.
Article 1:Subject-matter and objectives –– This Regulation contains rules on
processing personal data and the free movement of personal data to protect the
fundamental rights and freedoms of natural persons and their right to protection of
personal data
Article 2: Material Scope –– This Regulation applies to the processing of personal
data which form part of a filing system.
Article 3: Territorial Scope –– This Regulation applies to controllers and processors in
the Union and controllers or processors not in the Union if they process personal data of
data subjects who live in the Union.
Article 4: Definitions –– This Article contains 26 essential definitions.
CHAPTER 2 PRINCIPLES – This chapter outlines the rules for processing and
protecting personal data.
Article 5: Principles relating to processing of personal data –– Personal data shall
be processed lawfully, fairly, and in a transparent manner; collected for specified,
explicit, and legitimate purposes; be adequate, relevant, and limited to what is
necessary; etc.
Article 6: Lawfulness of processing –– There are six reasons that make processing
lawful if at least one is true (e.g. data subject has given consent, processing is
necessary for the performance of a contract, etc).
Article 7: Conditions for Consent –– When processing is based on consent, whoever
controls the personal data must prove consent to the processing, and the data subject
can withdraw consent at any time.
Article 8: Conditions applicable to child’s consent in relation to information
societal services –– Information society services can process personal data of a child
if the child is over 16. If the child is under 16, the legal guardian must consent.
necessary to protect the vital interests of the data subject, etc.
Page | 7
Article 10: Processing personal data related to criminal convictions and offenses
–– Processing personal data related to criminal convictions can only be carried out by
an official authority or when Union or Member State law authorizes the processing.
Article 11: Processing which does not require identification –– The controller does
not need to get or process additional information to identify the data subject if the
purpose for which the controller processes data does not require the identification of a
data subject.
CHAPTER 3 RIGHTS OF THE DATA SUBJECT

This chapter discusses the rights of the data subject, including the right to be forgotten,
right to rectification, and right to restriction of processing.
Section 1 = Transparency and modalities
Article 12: Transparent information, communications, and modalities for the
exercise of the rights of the data subject –– When necessary, the controller must
provide information in a concise, transparent, intelligible and easily accessible form,
using clear and plain language, and the controller needs to provide information on
action taken on request by and to the data subject within one month.
Section 2 = Information and access to personal data
Article 13: Information to be provided where personal data are collected from the
data subject –– When personal data is collected from the data subject, certain
information needs to be provided to the data subject.
Article 14: Information to provide to the data subject when personal data has not
been obtained from data subject –– When personal data is not obtained from the data
subject, the controller has to provide the data subject with certain information.
Article 15: Right of access by the data subject –– The data subject has a right to
know whether their personal data is being processed, what data is being processed,
etc.
Section 3 = Rectification and Erasure
Article 16: Right to rectification –– The data subject can require the controller to
rectify any inaccurate information immediately.
Article 17: Right to be forgotten –– In some cases, the data subject has the right to
make the controller erase all personal data, with some exceptions.
Article 18: Right to restriction of processing –– In some cases, the data subject can
restrict the controller from processing.
Page | 8
Article 19: Notification obligation regarding rectification or erasure of personal
data or restriction of processing –– The controller has to notify recipients of personal
data if that data is rectified or erased.
Article 20: Right to data portability –– The data subject can request to receive their
personal data and give it to another controller or have the current controller give it
directly to another controller.
Section 4 = Right to Object and Automated Individual decision-making
Article 21: Right to Object –– Data subjects have the right to object to data processing
on the grounds of his or her personal situation.
Article 22: Automated individual decision-making, including profiling –– Data
subjects have the right not to be subjected to automated individual decision-making,
including profiling.
Section 5 = Restrictions
Article 23: Restrictions –– Union or Member State law can restrict the rights in Articles
12 through 22 through a legislative measure.
CHAPTER 4 CONTROLLER AND PROCESSOR – This chapter covers the general

obligations and necessary security measures of data controllers and processors, as well
as data protection impact assessments, the role of the data protection officer, codes of
conduct, and certifications.
Section 1 = General Obligations
Article 24: Responsibility of the Controller –– The controller has to ensure that
processing is in accordance with this Regulation.
Article 25: Data protection by design and by default –– Controllers must implement
data protection principles in an effective manner and integrate necessary safeguards to
protect rights of data subjects.
Article 26: Joint Controllers –– When there are two or more controllers they have to
determine their respective responsibilities for compliance.
Article 27: Representatives of controllers or processors not established in the
Union –– When the controller and processor are not in the Union, in most cases they
have to establish a representative in the Union.
Article 28: Processor –– When processing is carried out on behalf of a controller, the
controller can only use a processor that provides sufficient guarantees to implement
appropriate technical and organizational measures that will meet GDPR requirements.
Page | 9
Article 29: Processing under the authority of the controller or processor ––
Processors can only process data when instructed by the controller.
Article 30: Records of Processing Activities –– Each controller or their
representatives needs to maintain a record of processing activities and all categories of
processing activities.
Article 31: Cooperation with the supervisory authority –– The controller and
processor have to cooperate with supervisory authorities.
Section 2 = Security of personal data
Article 32: Security of processing –– The controller and processor must ensure a
level of security appropriate to the risk.
Article 33: Notification of a personal data breach to the supervisory authority ––
In the case of a breach, the controller has to notify the supervisory authority within 72
hours, unless the breach is unlikely to result in risk to people. And the processor needs
to notify the controller immediately.
Article 34: Communication of a personal data breach to the data subject –– When
a breach is likely to cause risk to people, the controller has to notify data subjects
immediately.
Section 3 = Data protection impact assessment and prior consultation
Article 35: Data protection impact assessment –– When a type of processing,
especially with new technologies, is likely to result in a high risk for people, an
assessment of the impact of the processing needs to be done.
Article 36: Prior consultation –– The controller needs to consult the supervisory
authority when an impact assessment suggests there will be high risk if further action is
not taken. The supervisory authority must provide advice within eight weeks of receiving
the request for consultation.
Section 4 = Data protection officer
Article 37: Designation of the data protection officer –– The controller and
processor must designate a data protection officer (DPO) if processing is carried out by
a public authority, processing operations require the systematic monitoring of data
subjects, or core activities of the controller or processor consist of processing personal
data relating to criminal convictions or on a large scale of special categories of data
pursuant to Article 9.
Article 38: Position of the data protection officer –– The DPO must be involved in all
issues which relate to the protection of personal data. The controller and processor
must provide all necessary support for the DPO to do their tasks and not provide
instruction regarding those tasks.
Page | 10
Article 39: Tasks of the data protection officer –– The DPO must inform and advise
the controller and processor and their employees of their obligations, monitor
compliance, provide advice, cooperate with the supervisory authority, and act as the
contact point for the supervisory authority.
Section 5 = Codes of conduct and certification
Article 40: Codes of conduct –– Member States, the supervisory authorities, the
Board, and the Commission shall encourage the drawing up of codes of conduct
intended to contribute to the proper application of the GDPR.
Article 41: Monitoring of approved codes of conduct –– A body with adequate
expertise in the subject-matter and is accredited to do so by the supervisory authority
can monitor compliance with a code of conduct.
Article 42: Certification –– Member States, the supervisory authorities, the Board, and
the Commission shall encourage the establishment of data protection certification
mechanisms to demonstrate compliance.
Article 43: Certification bodies –– Certification bodies accredited by Member States
can issue and renew certifications.
CHAPTER 5 TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR

INTERNATIONAL ORGANIZATIONS – This chapter provides the rules for transferring
personal data that is undergoing or will undergo processing outside of the Union.
Article 44: General principle for transfers –– Controllers and processors can only
transfer personal data if they comply with the conditions in this chapter.
Article 45: Transfers on the basis of an adequacy decision –– A transfer of personal
data to a third country or international organization can occur if the Commission has
decided the country or organization can ensure an adequate level of protection.
Article 46: Transfers subject to appropriate safeguards –– If the Commission has
decided it can’t ensure an adequate level of protection, a controller or processor can
transfer personal data to a third country or organization if it has provided appropriate
safeguards.
Article 47: Binding Corporate rules –– The supervisory authority will approve binding
corporate rules in accordance with the consistency mechanism in Article 63.
Article 48: Transfers or disclosures not authorized by Union law –– Any decision
by a court or administrative authority in a third country to transfer or disclose personal
data is only enforceable if the decision is based on an international agreement.
Page | 11
Article 49: Derogations for specific situations –– If there is no adequacy decision
(Article 45) or appropriate safegaurds, a transfer of personal data to a third country or
organization can only happen if one of seven certain conditions are met.
Article 50: International cooperation for the protection of personal data –– The
Commission and supervisory authority have to do their best to further cooperation with
third countries and international organizations.
CHAPTER 6 INDEPENDENT SUPERVISORY AUTHORITY – This chapter requires

that each Member State have a competent supervisory authority with certain tasks and
powers.
Section 1 = Independent status
Article 51: Supervisory authority –– Each Member state has to supply at least one
independent public authority to enforce this regulation.
Article 52: Independence –– Each supervisory authority has to act with complete
independence, and its members have to remain free from external influence.
Article 53: General conditions for the members of the supervisory authority ––
Member states need to appoint members of the supervisory authority in a transparent
way, and each member must be qualified.
Article 54: Rules on the establishment of the supervisory authority –– Each
Member State needs to provide, in law, the establishment of each supervisory authority,
qualifications for members, rules for appointment, etc.
Section 2 = Competence, tasks, and powers
Article 55: Competence –– Each supervisory authority must be competent to perform
the tasks in this Regulation.
Article 56: Competence of the lead supervisory authority –– The supervisory
authority of a controller or processor that is doing cross-border processing will be the
lead supervisory authority.
Article 57: Tasks –– In its territory, each supervisory authority will monitor and enforce
this Regulation, promote public awareness, advise the national government, provide
information to data subjects, etc.
Article 58: Powers –– Each supervisory will have investigative, corrective,
authorization, and advisory powers.
Article 59: Activity Reports –– Each supervisory authority must write an annual report on
its activities.
Page | 12
CHAPTER 7 COOPERATION AND CONSISTENCY – This chapter outlines how
supervisory authorities will cooperate with each other and ways they can remain
consistent when applying this Regulation and defines the European Data Protection
Board and its purpose.
Section 1 = Cooperation
Article 60: Cooperation between the lead supervisory authority and the other
supervisory authorities concerned –– The lead supervisory authority will cooperate
with other supervisory authorities to attain information, mutual assistance, communicate
relevant information, etc.
Article 61: Mutual assistance –– Supervisory authorities must provide each other with
relevant information and mutual assistance in order to implement and apply this
regulation.
Article 62: Joint operations of supervisory authorities –– Where appropriate,
supervisory authorities will conduct joint operations.
Section 2 = Consistency
Article 63: Consistency mechanism –– For consistent application of this Regulation,
supervisory authorities will cooperate with each other and the Commission through the
consistency mechanism in this section.
Article 64: Opinion of the Board –– If a supervisory authority adopts any new measures,
the Board will issue an opinion on it.
Article 65: Dispute resolution by the Board –– The Board has the power to resolve
disputes between supervisory authorities.
Article 66: Urgency Procedure –– If there is an urgent need to act to protect data
subjects, a supervisory authority may adopt provisional measures for legal effects that
do not exceed three months.
Article 67: Exchange of information –– The Commission may adopt implementing acts
in order to specify the arrangements for the exchange of information between
supervisory authorities.
Section 3 = European data protection board
Article 68: European Data Protection Board –– The Board is composed of the head of
one supervisory authority from each Member state.
Article 69: Independence –– The Board must act independently when performing its
tasks or exercising its powers.
Article 70: Tasks of the Board –– The Board needs to monitor and ensure correct
application of this Regulation, advise the Commission, issue guidelines,
recommendations, and best practices, etc.
Page | 13
Article 71: Reports –– The Board will write an annual public report on the protection of
natural persons with regard to processing.
Article 72: Procedure –– The Board will consider decisions by a majority vote and adopt
decisions by a two-thirds majority.
Article 73: Chair –– The Board elects a chair and two deputy chairs by a majority vote.
Terms are five years and are renewable once.
Article 74: Tasks of the chair –– The Chair is responsible for setting up Board meetings,
notifying supervisory authorities of Board decisions, and makes sure Board tasks are
performed on time.
Article 75: Secretariat –– The European Data Protection Supervisor will appoint a
secretariat that exclusively performs tasks under the instruction of the Chair of the
Board, mainly to provide analytical, administrative, and logistical support to the Board.
Article 76: Confidentiality –– Board discussions are confidential.
CHAPTER 8 REMEDIES, LIABILITY, AND PENALTIES – This chapter covers the

rights of data subjects to judicial remedies and the penalties for controllers and
processors.
Article 77: Right to lodge a complaint with a supervisory authority –– Every data subject
has the right to lodge a complaint with a supervisory authority.
Article 78: Right to an effective judicial remedy against a supervisory authority –– Each
natural or legal person has the right to a judicial remedy against a decision of a
supervisory authority.
Article 79: Right to an effective judicial remedy against a controller or processor ––
Each data subject has the right to a judicial remedy if the person considers his or her
rights have been infringed on as a result of non-compliance processing.
Article 80: Representation of data subjects –– Data subjects have the right to have an
organization lodge a complaint on his or her behalf.
Article 81: Suspension of proceedings –– Any court in a Member State that realizes
proceedings for the same subject that is already occurring in another Member State can
suspend its proceedings.
Article 82: Right to compensation and liability –– Any person who has suffered damage
from infringement of this Regulation has the right to receive compensation from the
controller or processor or both.
Article 83: General conditions for imposing administrative fines –– Each supervisory
authority shall ensure that fines are effective, proportionate, and dissuasive. For
infringements of Articles 8, 11, 25 to 39, 41, 42, and 43 fines can be up to $10,000,000
Page | 14
or two percent global annual turnover. For infringements of Articles 5, 6, 7, 9, 12, 22, 44
to 49, and 58 fines can be up to $20,000,000 or four percent of global annual turnover.
Article 84: Penalties –– Member States can make additional penalties for infringements.
CHAPTER 9 PROVISIONS RELATING TO SPECIFIC PROCESSING SITUATIONS –

This chapter covers some exceptions to the Regulation and enables Member States to
create their own specific rules.
Article 85: Processing and freedom of expression and information –– Member States
have to reconcile the protection of personal data and the right to freedom of expression
and information (for journalistic, artistic, academic, and literary purposes).
Article 86: Processing and public access to official documents –– Personal data in
official documents for tasks carried out in the public interest may be disclosed for public
access in accordance with Union or Member State.
Article 87: Processing of the national identification number –– Member States can
determine the conditions for processing national identification numbers or any other
identifier.
Article 88: Processing in the context of employment –– Member States can provide
more specific rules for processing employees’ personal data.
Article 89: Safeguards and derogations relating to processing for archiving purposes in
the public interest, scientific or historical research purposes or statistical purposes ––
Processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes is subject to appropriate safeguards (data minimization
and pseudonymization).
Article 90: Obligations of secrecy –– Member States can adopt specific rules for the
powers of the supervisory authorities regarding controllers’ and processors’ obligation to
secrecy.
Article 91: Existing data protection rules of churches and religious associations ––
Churches and religious associations or communities that lay down their own rules for
processing in order to protect natural persons can continue to use those rules as long
as they are in line with this Regulation.
CHAPTER 10 DELEGATED ACTS AND IMPLEMENTING ACTS

Article 92: Exercise of the delegation –– The Commission has the power to adopt
delegated acts. Delegation of power can be revoked at any time by the European
Parliament or the Council.
Page | 15
Article 93: Committee procedure –– The Commission will be assisted by a committee.
CHAPTER 11 FINAL PROVISIONS - This chapter explains the relationship with

this Regulation to past Directives and Agreements on the same subject matter,
requires the Commission to submit a report every four years, and enables the
commission to submit legislative proposals.
Article 94: Repeal of directive 95/46/EC –– 1995 Directive 95/46/EC is repealed (The
old personal data processing law).
Article 95: Relationship with Directive 2002/58/EC –– This Regulation does not add
obligations for natural or legal persons that are already set out in Directive 2002/58/EC
(has to do with the processing of personal data and the protection of privacy in the
electronic communications sector).
Article 96: Relationship with previously concluded Agreements –– International
agreements involving the transfer of data to third countries or organizations that were
setup before 24 May 2016 will stay in effect.
Article 97: Commission reports –– Every four years the Commission will submit a report
on this Regulation to the European Parliament and to the Council.
Article 98: Review of other Union legal acts on data protection –– The Commission can
submit legislative proposals to amend other Union legal acts on the protection of
personal data.
Article 99: Entry into force and application –– The Regulation applies from 25 May 2018.
Data Elements:
 Name
 Addresses
 Employment Information
 Medical records
 Customer addresses
 Membership records
 RFID tags
 IP Addresses
 Identifiers of a data subject
 ID numbers
 Location
 Physical
 Physiological
 Genetic
Page | 16
 Mental
 Economic
 Cultural
 Social

A Business Issue
 Principles Article 5
 Lawful Processing Article 6
 Article 5: Principles relating to processing of personal data –– Personal data
shall be processed lawfully, fairly, and in a transparent manner; collected for
specified, explicit, and legitimate purposes; be adequate, relevant, and limited to
what is necessary; etc.
 Article 6: Lawfulness of processing –– There are six reasons that make
processing lawful if at least one is true (e.g. data subject has given consent,
processing is necessary for the performance of a contract, etc).
A Business Issue: Organization/Controller: Meet principles & Demonstrate

compliance under the accountability
 Lawfulness
 Fairness
 Transparency
 Purpose limitation
 Data minimization
 Accuracy
 Storage limitation
 Integrity
 Confidentiality
Data Minimization
Data Minimization
• Adequate
• Relevant
• Limited
The decision may lie with marketing, shipping, or finance.
Page | 17
Lawfulness of Processing : Article 6: Lawfulness of processing –– There are six
reasons that make processing lawful if at least one is true (e.g. data subject has given
consent, processing is necessary for the performance of a contract, etc).
 Defining which data processing is legal
 Six lawful processing activities
 The controller must decide if one or more applies.
Business and Legal decision
Decision and Details:

Decision regarding “Article 5: Principles relating to processing of personal data &
Article 6: Lawfulness of processing MUST BE MADE at the HIGHEST LEVEL.
Under Article 77 to 84
 Remedies
 Penalties
 Liability
Article 77: Right to lodge a complaint with a supervisory authority –– Every data
subject has the right to lodge a complaint with a supervisory authority.
Article 78: Right to an effective judicial remedy against a supervisory authority ––
Each natural or legal person has the right to a judicial remedy against a decision of a
Article 79: Right to an effective judicial remedy against a controller or processor –
– Each data subject has the right to a judicial remedy if the person considers his or her
Article 80: Representation of data subjects –– Data subjects have the right to have
an organization lodge a complaint on his or her behalf.
Article 82: Right to compensation and liability –– Any person who has suffered
damage from infringement of this Regulation has the right to receive compensation from
the controller or processor or both.
Article 83: General conditions for imposing administrative fines –– Each
supervisory authority shall ensure that fines are effective, proportionate, and dissuasive.
Page | 18
For infringements of Articles 8, 11, 25 to 39, 41, 42, and 43 fines can be up to
$10,000,000 or two percent global annual turnover. For infringements of Articles 5, 6, 7,
9, 12, 22, 44 to 49, and 58 fines can be up to $20,000,000 or four percent of global
annual turnover.
Article 84: Penalties –– Member States can make additional penalties for
infringements.
Review:
Question: What does GDPR stand for?
Answer: General Data Protection Regulation.
Question; You are establishing an online account with a local print shop. The application
includes many questions. Using the concept of data minimization from the GDPR, which
question will be no longer be allowed? Select all that apply:
1) Name
2) Gender
3) Job Title
4) Phone number
5) Your preferred method of notification when your prints are ready to be
picket up (phone, text or email)
The InfoSec Professional and GDPR
Chapter II Principles
Chapter III Rights of the data subject
Chapter iV Controller and processor
Chapter VIII Remedies, Liability and Penalties
Chapter 2: Principles
necessary; etc.
• Appropriate security
• Unauthorized or unlawful processing
• Accidental loss, destruction or damages
Page | 19
• Appropriate technical / organization measures
Article 7: Conditions for Consent –– When processing is based on consent, whoever
controls the personal data must prove consent to the processing, and the data subject
can withdraw consent at any time.
• Organization shall be able to demonstrate that the data subject consented to
processing
• Confidentiality – Integrity – Availability
Chapter 3: Right of the Data Subject

Data Subject: Identified or Identifiable natural person
Article 4 Controller: Any natural or legal person, public authority, agency or other
body which determines the purpose and means of the processing of personal data.
Article 12: Transparent information, communications, and modalities for the
exercise of the rights of the data subject –– When necessary, the controller must
provide information in a concise, transparent, intelligible and easily accessible form,
using clear and plain language, and the controller needs to provide information on
action taken on request by and to the data subject within one month.
Section 2 = Information and access to personal data
Article 13: Information to be provided where personal data are collected from the
data subject –– When personal data is collected from the data subject, certain
information needs to be provided to the data subject.
Article 14: Information to provide to the data subject when personal data has not
been obtained from data subject –– When personal data is not obtained from the data
subject, the controller has to provide the data subject with certain information.
Article 15: Right of access by the data subject –– The data subject has a right to
know whether their personal data is being processed, what data is being processed,
etc.
Section 3 = Rectification and Erasure
Article 16: Right to rectification –– The data subject can require the controller to
rectify any inaccurate information immediately.
Article 17: Right to be forgotten –– In some cases, the data subject has the right to
make the controller erase all personal data, with some exceptions.
Article 18: Right to restriction of processing –– In some cases, the data subject can
restrict the controller from processing.
Page | 20
data or restriction of processing –– The controller has to notify recipients of personal
data if that data is rectified or erased.
Article 20: Right to data portability –– The data subject can request to receive their
personal data and give it to another controller or have the current controller give it
directly to another controller.
Section 4 = Right to Object and Automated Individual decision-making
Article 21: Right to Object –– Data subjects have the right to object to data processing
on the grounds of his or her personal situation.
Article 22: Automated individual decision-making, including profiling –– Data
subjects have the right not to be subjected to automated individual decision-making,
including profiling.
Section 5 = Restrictions
Article 23: Restrictions –– Union or Member State law can restrict the rights in Articles
12 through 22 through a legislative measure.
immediately.
Chapter Four IV: Controller and Processor
Article 24: Responsibility of the Controller –– The controller has to ensure that
processing is in accordance with this Regulation.
Article 24: Responsibility of the controller
- Implement appropriate technical and organizational methods
- Ensure and be able to demonstrate
- Processing is performed in accordance with GDPR
- Measure to be review and updated as necessary
protect rights of data subjects
Article 32: Security of processing –– The controller and processor must ensure a
level of security appropriate to the risk.
- State of the art
Page | 21
- Appropriate technical and organizational methods
- Controller must provide general description of
- Technical and organizational methods
 DPIA
 For high-risk situations
- Personal data breaches
- Notification requirements
Supervisory authority
immediately.
- Communication to data subjects
- High risk to their rights and freedoms.
DETECT and REACT without UNDUE DELAY
Chapter 8 VIII: Remedies, liability and Penalties

annual turnover.
- Article 83: General condition for imposing administrative fines
- Reference Article 25 and Article 32
- Controller is responsible
Page | 22
- Must explain to supervisory authority:
 What controls were in place?
 How well were they implemented?
Review:
Throughout the GDPR, there is reference to the controller. Who or what is the
controller?
Any natural or legal person, public authority, agency or other body which determines
the purpose and means of personal data
 Articles –
 Decisions-
 Compliance Plan -
 Stakeholders –
 Data Sets –
 Collection Methods
Module 2: Organizational Awareness
Personal Data is Everyone’s Responsibility

- Understand GDPR requirement
- Perform a gap analysis to identify any extra content for awareness and related
program around personal data.
- Determine roles and responsibility’s surrounding your organization data,
resources need to become compliant and identify outcomes and success
measure.
- Construct an effective GDPR internal Awareness plan
Introduction:
 Requirements of GDPR
 Gap Analysis
 Contents for Awareness Programs
 Roles and Responsibilities
 Resources
 Outcomes and Success Measures
Phase 1: Develop
Page | 23
• Identify senior stakeholders and engage each business unit affect.
• Allocate adequate resources to support implementation
• Inventory and analyze personal data held across the organization.
• Verify procedures to insure they cover all rights EU individuals have under
GDPR.
• Review how consent is sought, obtained and recorded to determine if changes
are needed.
• Designate a DPO when processing involves specific data categories, personal
data processing is large scale, and if processing these special types of personal
data is core to your business.
You should be able to construct a GDPR Internal Awareness Plan.
Personal Data is Everyone’s Responsibility

Organizational Awareness
Without the support of Staff: Aware – Educated – Trained

Investment – Policies – Procedures - Technology
At best = minimized At worst = worthless
Proven techniques and approaches

 Improve the campaign
 Engage and inspire

 Awareness requirements of GDPR
 Impactful campaign development
AIMS and Objectives of GDPR

Chapter IV: Controller and processor
Chapter VIII: Remedies, Liability and Penalties
The General Data Protection Regulation is a legal act of the European Union now
enforceable in all Member States.
General Data Protection Regulation (GDPR)
Page | 24
.The full title is “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL of 27 April 2016 on the protection of NATURAL PERSON with
Chapter IV: Controller and Processor
\Section 4:
Section 4 = Data protection officer
Article 37: Designation of the data protection officer –– The controller and
processor must designate a data protection officer (DPO) if processing is carried out by
a public authority, processing operations require the systematic monitoring of data
subjects, or core activities of the controller or processor consist of processing personal
data relating to criminal convictions or on a large scale of special categories of data
pursuant to Article 9.
Article 38: Position of the data protection officer –– The DPO must be involved in all
issues which relate to the protection of personal data. The controller and processor
must provide all necessary support for the DPO to do their tasks and not provide
instruction regarding those tasks.
Section 5 = Codes of conduct and certification
Article 40: Codes of conduct –– Member States, the supervisory authorities, the
Board, and the Commission shall encourage the drawing up of codes of conduct
intended to contribute to the proper application of the GDPR.
Article 41: Monitoring of approved codes of conduct –– A body with adequate
expertise in the subject-matter and is accredited to do so by the supervisory authority
can monitor compliance with a code of conduct.
Article 43: Certification bodies –– Certification bodies accredited by Member States
can issue and renew certifications.
- Role of Data Protection Officer
- Task expected of Data Protection Officer
Page | 25
Article 39: Tasks of the data protection officer
To monitor compliance Protection of personal data, including

With GDPR Assignment of responsibilities
With other data protection provisions Awareness-raising
With the policies of the controller or Training of staff involved in processing
processor
Related audits
Awareness – Raising – is responsibility of the DPO. (if there is not DPO, the
information security professional has to step in)
Review:
Question: Which of the following are tasks assigned to the Data Protection Officer, as
outlined in Article 39?
 To inform and advise the controller and/or processor and the employees who
carry out processing of their obligations under the GDPR
 To cooperate with the supervisory authority
 To be contact point on all issues relating processing of data
 To monitor a company’s compliance with the GDPR.
Chapter VIII: Remedies, Liability and penalties
Article 77: Right to lodge a complaint with a supervisory authority –– Every data
subject has the right to lodge a complaint with a supervisory authority.
Article 78: Right to an effective judicial remedy against a supervisory authority ––
Each natural or legal person has the right to a judicial remedy against a decision of a
Page | 26
Article 79: Right to an effective judicial remedy against a controller or processor –
– Each data subject has the right to a judicial remedy if the person considers his or her
Article 80: Representation of data subjects –– Data subjects have the right to have
an organization lodge a complaint on his or her behalf.
annual turnover.
Article 84: Penalties –– Member States can make additional penalties for
infringements.
Article 82: Right to compensation and liability –– Any person who has suffered
damage from infringement of this Regulation has the right to receive compensation from
the controller or processor or both.
Article 82: Right to compensation and liability
- Individual can claim compensation from controller or processor
- Controllers and Processor can recover damages from one another

annual turnover.
Article 83; General conditions for imposing administrative fines

1. Each supervisory authority shall ensures that the imposition of administrative fines
pursuant to the Article in respect of infringements of this Regulation referred to in
paragraphs 4, 5, 6, shall in each individual case be effective, proportionate and
dissuasive.
Page | 27
Fine should be of sufficient magnitude to act as deterrent to all controllers and
processors.
The GDPR allows for fines that are “dissuasive”, meaning: Dissuasive fines are
described as “of sufficient magnitude to act as a deterrent to the controller or processor,
and to the other organization acting as controller or processor”
Article 83 General conditions for imposing administrative fines

1. Each supervisory authority shall ensure that the imposition of administrative fines
pursuant to this Article in respect of infringements of this Regulation referred to in
paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and
dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual case,
be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j)
of Article 58(2). When deciding whether to impose an administrative fine and deciding
on the amount of the administrative fine in each individual case due regard shall be
given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature
scope or purpose of the processing concerned as well as the number of data subjects
affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by
data subjects;
(d) the degree of responsibility of the controller or processor taking into account
technical and organisational measures implemented by them pursuant to Articles 25
and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory
authority, in particular whether, and if so to what extent, the controller or
processor notified the infringement;
(i) in case measures referred to in Article 58(2) have previously been ordered against
the controller or processor concerned with regard to the same subject-matter,
compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved
certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits gained, or losses avoided, directly or indirectly, from the
infringement.
3. If a controller or processor intentionally or negligently, for the same or linked
processing operations, infringes several provisions of this Regulation, the total amount
Page | 28
of the administrative fine shall not exceed the amount specified for the gravest
infringement.
4. Infringments of the following provisions shall, in acccordance with paragraph 2, be
subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking,
up to 2 % of the total worldwide annual turnover of the preceding financial year,
whichever is higher:
(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25, 26,
27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).
5. Infringements of the following provisions shall, in accordance with paragraph 2, be
subject to administrative fines up to 20 000 000 EUR, or in the case of an
undertaking, up to 4 % of the total worldwide annual turnover of the preceding
financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to
Articles 5, 6, 7 and 9;
(b) the data subjects' rights pursuant to Articles 12 to 22;
(c) the transfers of personal data to a recipient in a third country or an international
organisation pursuant to Articles 44 to 49;
(d) any obligations pursuant to Member State law adopted unter Chapter IX;
(e) non-compliance with an order or a temporary or definitive limitation on processing or
the suspension of data flows by the supervisory authority pursuant to Article 58(2) or
failure to provide access in violation of Article 58(1).
6. Non-compliance with an order by the supervisory authority as referred to in
Article 58(2) shall, in acccordance with paragraph 2 of this Article, be subject to
administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to
4 % of the total worldwide annual turnover of the preceding financial year,
whichever is higher.
7. Without prejudice to the corrective powers of supervisory authorities pursuant to
Article 58(2), each Member State may lay down the rules on whether and to what extent
administrative fines may be imposed on public authorities and bodies established in that
Member State.
8. The exercise by the supervisory authority of its powers under this Article shall be
subject to appropriate procedural safeguards in accordance with Union and Member
State law, including effective judicial remedy and due process.
Article 80 Under Article 80 of the GDPR, the amount of damages awarded could be
unlimited.
Principles Consent
Article 5 Article 7
Page | 29
PERSONAL DATA
Data Subject Rights Transferring Personal Data
Article 12- 22 Article 44-49
The best plan to raise awareness within your company would begin by matching
pertinent topics with various department and sectors of the company. Then explain and
define the difficult concepts in engaging way. Connect with the various groups at a level
which will aid understanding and reinforce new behaviors.
GDPR is Everyone’s Responsibility (TOP – DOWN)
Privacy By Design
Assess the need for compliance
Does the company provide goods/service to individual in EU?
Does the company monitor the behavior of individual in the EU?
Does the company have employees or contractors in the EU?
Does the company have an EU parent company/ EU subsidiary/ EU business partner
company with which share data of individual in the EU?
Module 3: Data Protection by Design and by Default
Article 25 Data protection by design and by default
1. Taking into account the state of the art, the cost of implementation and the
nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for rights and freedoms of natural persons posed
by the processing, the controller shall, both at the time of the determination of the
means for processing and at the time of the processing itself, implement
appropriate technical and organisational measures, such as pseudonymisation,
which are designed to implement data-protection principles, such as data
minimisation, in an effective manner and to integrate the necessary safeguards
Page | 30
into the processing in order to meet the requirements of this Regulation and
protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational
measures for ensuring that, by default, only personal data which are necessary
for each specific purpose of the processing are processed. That obligation
applies to the amount of personal data collected, the extent of their processing,
the period of their storage and their accessibility. In particular, such measures
shall ensure that by default personal data are not made accessible without the
individual's intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an
element to demonstrate compliance with the requirements set out in paragraphs
1 and 2 of this Article.
How can we build data

protection from the start
By incorporating data By knowing the key
protection in application stakeholders
By incorporating data By knowing the business

protection in service units impacted
• Examine how to incorporate data protection in all applications and services.

• Determine key stakeholders and appropriate business units impacted.
• Formulate an effective plan that supports the mantra of data protection by design
and by default.
Data Protection by Design and Default

Introduction:
How can we build data protection from start?
• By incorporating data protection in applications
• By incorporating data protection in services
• By knowing the key stakeholders
• By knowing the business units impacted
• By formulating an effective plan
By following the mantra of data protection by design and by default.
Page | 31
Phase 2: Implement
• Identify gaps and develop project plan to meet the data protection requirements
set forth by GDPR. Two areas identified as particular adding to the heavy
workload as DATA PROTECTION IMAPACT ASSESSMENT (DPIA) and
SUBJECT ACCESS REQUEST (SAR). Companies need to scope out how they
plan to do these, and they too are subject to a RISK ASSESSMENT/MATURITY
roadmap process.
• Refine the solutions necessary for improving data protection and ensuring
adherence to requirements and regulations.
• Implement procedure to DETECT, REPORT, and INVESTIGATE personal data
breaches.
• Test, deploy, and QA all CONTROLS and solutions developed to achieve
compliance.
• Develop an internal GDPR audit plan
• Operationalize the efforts of monitoring all data protections controls created.
Data Protection by Design and by Default
• Far-Reaching
• Significant
- Data protection by design
- Data protection by default
Paragraph 1: Data Protection by Design and During Processing
- Sate of the Art

- Cost of Implementation
- Nature, Scope, Context of Processing
- Risk of Varying Likelihood and Severity
- Rights and Freedom of Natural Person
State of the Art
Page | 32
Cost of Implementation
Nature, Scope, Context of Processing
Risk of Varying Likelihood and Severity
Rights and Freedom of Natural Persons
State of the Art
- Technical and Organizational Available Technologies

- As technical measures change, controller may be expected to change the
measures in place
- Keeping Current
Not a compliance Project Built-in flexibility Requirements can be address in many
way
Cost of Implementation
- Cost can be considered
- Not a reason to avoid selecting measure
- One of several factors
Nature, Scope, Context of Processing
Risk of Varying Likelihood and Severity
- Data Protection Impact Assessment

- DPIA
- Create a checklist
- Capture risk factors
- Assesse the system as a whole
Middle
- Controller shall
- Time of determination,
- Time of the processing,
- Appropriate measures,
- Designed to implement principles,
- In an effective manner ,
- Integrate necessary safeguards,
- Meet the requirement of GDPR,
- Protect the rights of data subject.
Page | 33
The controller must select the CONTROL BASED on ANALYSIS.
- Through records
- Why particular measure were selected
- The selection process that was followed
- Audit and accountability trail
PSEUDONYMIZATION: The processing of personal data such manner that the

personal data can no longer be attributed to a SPECIFIC DATA SUBJECT without the
use of additional information.
DATA MINIMIZATION: Personal data shall be ….. ADEQUATE, RELEVANT, and

LIMITED to what is necessary in relation to the PURPOSES for which they are
processed.
END: Any measure chosen
- Meet the requirement of the GDPR

- Protect the rights of data subjects.
Summary:
Chapter III three: Rights of the data subject
Article 15: Right of access by the data subject

Article 16: Right to rectification
Article 17: Right to erasure (right to be forgotten)
Article 18: Right to restriction of processing
Article 19: Notification obligation regarding rectification or erasure of personal data or
restriction of processing
Article 20: Right to data portability
Article 21: Right to object
Article 22: Automated individual decision-making, including profiling
Any measures chose must meet these rights
How will we pass encrypted details to another controller?

How will we share keys to decryption?
Page | 34
How can that happen without compromising the encryption?
Review:
Questions: In Article 25, the phrase “state of the art” indicates which of the following?
Answer:
Methods of handling data must take into account all available technologies.
Technical and organizational methods of handling data must be modern and
standard.
Technologies that are still speculative or “on the drawing board” are acceptable.
The methods in practice now will need to change as the technology changes.
The standard methods used in May of 2018 will be acceptable into the future.
In Article 25 , the phrase “state of art” indicates? Means that when selecting a method
or technology, a data controller must take into account the available technologies, rather
than any speculating or drawing-board product. It is also implies change, - and that as
technical measure change, controller may be expected to change the measures they
have in place to match what is considered to be the current state of the art.
Question: Pseudonymisation and data minimization will be a part of any effective plan
to become GDPR compliant?
Answer: False
Question: The last few words of Article 25, Paragraph 1, warn that any measure
chosen must “ meet the requirements of this regulation and protect the right of
data Subjects” Which oft eh following rights are guaranteed to the data subject by the
GDPR?
Answer:
- Right of access by the data subject
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to notified regarding rectification
- Right to be notified of erasure of personal data
- Right to be notified of restriction of processing
- Right to data portability
- Right to object
Page | 35
- Right to not be subject to decision based solely on automated processing
including profiling
Chapter III three: Rights of the data subject

Article 15: Right of access by the data subject
Article 16: Right to rectification
Article 17: Right to erasure (right to be forgotten)
Article 18: Right to restriction of processing
data or restriction of processing
Article 20: Right to data portability
Article 21: Right to object
Article 22: Automated individual decision-making, including profiling

Paragraph 2 Data Protection by Default
2 The controller shall implement appropriate technical and organisational measures

for ensuring that, by default, only personal data which are necessary for each
specific purpose of the processing are processed. That obligation applies to the
amount of personal data collected, the extent of their processing, the period of their
storage and their accessibility. In particular, such measures shall ensure that by
default personal data are not made accessible without the individual's intervention to
an indefinite number of natural persons.
Accessibility to Personal data is to be controlled.
Page | 36
Consider alternatives to protect personal data
- Technical
- Organizational
- Document what the organization has done
- Show what the receiving organization has done
DPIA – Provide the reasoning behind the selection of selected measures
Data Protection by Default

Personal Data Lifecycle
1. Collect
2. Process
3. Store
4. Transmit
5. Delete
Paragraph 3:
Module 3: Data Protection by Design and by Default
Page | 37
3) An approved certification mechanism pursuant to Article 42 may be used
as an element to demonstrate compliance with the requirements set out in
paragraphs 1 and 2 of this Article.
Question: Which of the following are acceptable ways to documents and demonstrate
compliance of your system with the GDPR?
Answer: The Data Protection Impact Assessment (DPIA) and approved certification
mechanisms are two ways to demonstrate compliance with GDPR.
Chapter IV four: Controller and Processor

Three: An approved certification mechanism pursuant to Article 442 may be used as an
element to demonstrate compliance with the requirement sets out in Paragraphs in 1
and 2 of this article
Summary of Article 25
Chapter IV Four: Controller and processor

Article 25: Data protection by design and by default
Controller must implement technical and organizational measures:
- To protect rights of data subject
- To protect personal data
- At time of implementation and design
Controller must:
- Protect personal data throughout lifecycle
- Control access to personal data
Controller must meet the requirements of Article 25 Also 5, 16, 17, 18, 19, 20, 21, 22,
30, 47, 83, 35
Page | 38
annual turnover.
Article 83 : 10,000,000 Euro or 2% of Worldwide Turnover
Article 47:
Article 47 Binding corporate rules

1. The competent supervisory authority shall approve binding corporate rules in accordance
with the consistency mechanism set out in Article 63, provided that they:
(a) are legally binding and apply to and are enforced by every member concerned of the
group of undertakings, or group of enterprises engaged in a joint economic activity,
including their employees;
(b) expressly confer enforceable rights on data subjects with regard to the processing of
their personal data; and
(c) fulfil the requirements laid down in paragraph 2.
2. The binding corporate rules referred to in paragraph 1 shall specify at least:
(a) the structure and contact details of the group of undertakings, or group of enterprises
engaged in a joint economic activity and of each of its members;
the data transfers or set of transfers, including the categories of personal data, the type of
processing and its purposes, the type of data subjects affected and the identification of the
third country or countries in question;
(c) their legally binding nature, both internally and externally;
(d) the application of the general data protection principles, in particular purpose limitation,
data minimisation, limited storage periods, data quality, data protection by design and by
default, legal basis for processing, processing of special categories of personal data,
measures to ensure data security, and the requirements in respect of onward transfers to
bodies not bound by the binding corporate rules;
(e) the rights of data subjects in regard to processing and the means to exercise those
rights, including the right not to be subject to decisions based solely on automated
processing, including profiling in accordance with Article 22, the right to lodge a complaint
with the competent supervisory authority and before the competent courts of the Member
States in accordance with Article 79, and to obtain redress and, where appropriate,
compensation for a breach of the binding corporate rules;
(f) the acceptance by the controller or processor established on the territory of a Member
State of liability for any breaches of the binding corporate rules by any member concerned
not established in the Union; the controller or the processor shall be exempt from that
liability, in whole or in part, only if it proves that that member is not responsible for the event
giving rise to the damage;
Page | 39
(g) how the information on the binding corporate rules, in particular on the provisions
referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in
addition to Articles 13 and 14;
(h) the tasks of any data protection officer designated in accordance with Article 37 or any
other person or entity in charge of the monitoring compliance with the binding corporate
rules within the group of undertakings, or group of enterprises engaged in a joint economic
activity, as well as monitoring training and complaint-handling;
(i) the complaint procedures;
(j) the mechanisms within the group of undertakings, or group of enterprises engaged in a
joint economic activity for ensuring the verification of compliance with the binding corporate
rules. Such mechanisms shall include data protection audits and methods for ensuring
corrective actions to protect the rights of the data subject. Results of such verification
should be communicated to the person or entity referred under point (h) and to the board of
the controlling undertaking of a group of undertakings, or of the group of enterprises
engaged in a joint economic activity, and should be available upon request to the competent
supervisory authority;
(l) the cooperation mechanism with the supervisory authority to ensure compliance by any
member of the group of undertakings, or group of enterprises engaged in a joint economic
activity, in particular by making available to the supervisory authority the results of
verifications of the measures referred to in point (j);
(m) the mechanisms for reporting to the competent supervisory authority any legal
requirements to which a member of the group of undertakings, or group of enterprises
engaged in a joint economic activity is subject in a third country which are likely to have a
substantial adverse effect on the guarantees provided by the binding corporate rules; and
(n) the appropriate data protection training to personnel having permanent or regular access
to personal data.
Chapter V Five: Transfer of personal data to third countries or

international organizations
Article 47: Binding corporate rules

2. The binging corporate rules referred to in Paragraph 1 shall specify at least:
Want to transfer personal data to a third country or international organization?
- You must specify that the destination has complied with Article 47.
- Extraterritorial Force
- Controller and Processor cannot just transfer personal data!
- Receiving organization must also comply with GDPR.
Question Answer
(Article 47) Any organization wishing to transfer personal data to a third country or
international organization must specify that the destination has also complied with the
GDPR.
Page | 40
(Article 83) if the controller fails to protect the right of data subject, his organization will
be subject to a fine of up to 10 million EUR or 2% of worldwide annual turnover, which is
higer.
(Article 25) A controller must 1. Implement technical and organizational measures to
protect the rights of the data subject 2. Protect personal data throughout its life cycle;
and 4 control access to that personal data.
Module 4: Policies and Procedures
Defining policies, processes and governance around personal data.
This module explores policies and procedures required under the GDPR and provides
insights into identifying gaps, omissions or updates required in your current policies,
process and governance structure for GDPR compliance.
• Discover any gaps, omissions or updates in current policies, processes and

governance structure due to GDPR.
• Assess the changes in policies and procedures required for GDPR.
• Amend and enhance current policies and procedures to ensure GDPR
compliance.
Introduction
- Policies
- Procedures
- Governance
- Gaps
- Omissions
- Changes required
Framework for Success

Phase 2: Implement
- Identify gaps and develop project plan to meet the data protection requirements
set forth by GDPR. Two areas identified as particularly adding to heavy workload
are Data Protection Impact Assessment and subject access request. Companies
need to scope out how they plan to do these, and they too are subject to a RISK
assessment/maturity road map process.
Page | 41
- Refine the solutions necessary for improving data protection and ensuring
- Implement procedures to Detect, Report, and Investigate personal data
breaches.
- Test, deploy and QA all controls and solutions developed to achieve compliance
- Develop an internal GDPR audit plan
- Operationalize the efforts of monitoring all data protection controls created.
Policies, Procedures, and Tasks
Policy: Statement of business intent; Documents supported by senior management

that specific objective of an organization. Defined and specified at board level.
Procedure: What people must do to deliver policy objectives. Detailed sets of tasks.
Undertaken at operational level.
Key Policies of the GDPR
- Communicating your policies

- Principles of Article 5: Article 5: Principles relating to processing of
personal data –– Personal data shall be processed lawfully, fairly, and in a
transparent manner; collected for specified, explicit, and legitimate purposes; be
adequate, relevant, and limited to what is necessary; etc.
- Article 24: Responsibilities of the Data Controller Article 24: Responsibility of
the Controller –– The controller has to ensure that processing is in accordance
with this Regulation.
- Racital 78: Demonstrating compliance
- Suggested Policies
Communicating your policies
Data Privacy Policy

- Must be displayed wherever data is captured
Data Protection Policy
- Part of business security policy documentation.
Controllers and Processor in the EU
Page | 42
Controllers not based in EU
Principles of Article 5
CHAPTER II PRINCIPLES
Article 5 Principles relating to processing of personal data
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject
('lawfulness, fairness and transparency');
(b) collected for specified, explicit and legitimate purposes and not further processed in
a manner that is incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes shall, in accordance with Article 89(1), not be considered to be incompatible
with the initial purposes ('purpose limitation');
(c) adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed ('data minimisation');
(d) accurate and, where necessary, kept up to date; every reasonable step must be
taken to ensure that personal data that are inaccurate, having regard to the purposes
for which they are processed, are erased or rectified without delay ('accuracy');
(e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data
may be stored for longer periods insofar as the personal data will be processed solely
for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) subject to implementation of the
appropriate technical and organisational measures required by this Regulation in order
to safeguard the rights and freedoms of the data subject ('storage limitation');
(f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or organisational measures
('integrity and confidentiality').
2. The controller shall be responsible for, and be able to demonstrate compliance with,
paragraph 1 ('accountability').
- Data Protection Policy

- Data Privacy Policy
The rights of a natural person:
Page | 43
- Protection of personal data
- Protection of processing of personal data
- Unrestricted movement of personal data
-
Policies
Data Privacy Policy
- Must be displayed wherever data is captured
Data Protection Policy
- Part of business security policy documentation
Controllers and Processors in the EU.

Controllers not based in EU
Principal of Article 5
2. The controller shall be responsible for, and be able to demonstrate compliance with,
paragraph 1 (‘accountability’)
Chapter IV Four: Controller and Processor
SECTION 1 GENERAL OBLIGATIONS
Article 24 Responsibility of the controller

1. Taking into account the nature, scope, context and purposes of processing as well as
the risks of varying likelihood and severity for the rights and freedoms of natural
persons, the controller shall implement appropriate technical and organisational
measures to ensure and to be able to demonstrate that processing is performed in
accordance with this Regulation. Those measures shall be reviewed and updated where
necessary.
2. Where proportionate in relation to processing activities, the measures referred
to in paragraph 1 shall include the implementation of appropriate data protection
policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved
certification mechanisms as referred to in Article 42 may be used as an element by
which to demonstrate compliance with the obligations of the controller.
Recital 78: Demonstrating Compliance
Page | 44
- General Protection Regulation
- Data Security Policy
“… the controller should adopt internal policies and implement measures that
fulfil in particular the principles of data protection by design and by default. “
Secuirty Policy Documentation :
For GDPR listed policy must have

- Acceptable Use Policy
- Clean Desk Policy
- Data Backup Policy
- Email Policy
- Data Erasure Policy
- Data Encryption Policy
- Data Transfer Policy
- Ethics Policy
- End-Point Security Policy
- Laptop Security Policy
- Password Protection Policy
- Mobile Device Security Policy
- Remote Access Policy
- Router and Switch Security Policy\
- Server Security Policy
- Security Policy
- Server Hardening Policy
- Software Installation Policy
- Wireless Communication Policy
- Workstation Security Policy
Questions: The integrity and confidentiality principal, as defined in Article 5 of the

GDPR, specifies that personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection against unauthorized or
unlawful processing and against accidental loss, destruction or damage, using
appropriate technical or organizational measures.
Answer: True
Question: Personal data shall be collected for specified, explicit and legitimate purpose
and not further processed in a manner that is incompatible with those purpose.
The statement above refers to which of the following principles, as defined in Article 5?
Page | 45
The statement refers to the principle of purpose limitation.
necessary; etc.
Procedures
• General Data Protection Regulation

• Data Security Policy
• Procedures
1. Steps
2. Tasks
3. Auditable
4. Accountable
5. Document
6. Trial
7. Test
8. Agree
Subject Access Request (SAR)
Data Subject Bill of Rights
- Right to be informed
- Right of access
- Right to erasure
- Right to restrict processing
- Right to object
- Right in relation to automated decision making and profiling.
Question: The abbreviation SAR stands for:

Answer: Subject Access Request
Question: A procedure must be in place to ensure that a user can gain access to the
data the business holds and have the data moved to a “PORTABLE” format so that the
data can be moved to another “CONTROLLER”. Attention must be given to that may be
ENCRYPTED by the CURRENT controller; how the data will be TRANSPOTED and
what will be done about the ENCRYTION KEYS.
Page | 46
Answer ; The right of data portability (The data subject’s right to data portability)
Question: The GDPR defines specifically both the policies and procedures that any and
all controller and processor in the EU must comply with, IRRESPECTIVE of where the
processing take place. It also applies to controller who are not based in the EU.
Answer: False The GDPR defines that right of the data Subject and certain principles
that must be complied with the handling of data. Each controller and processor must
first interpret the guidelines of the GDPR then apply them to the specific data collection
processed of their company.
Page | 47
Module 5: Organizational Culture
This module provides insights into importance of creating the right culture for data
protection to meet GDPR requirements and protect all stakeholders.
• Examine the current culture around privacy within your organization.

• Identify behaviors and tools to overcome challenges and pitfalls in the
organization’s culture around data privacy protection.
• Deliver a culture change program
Introduction
• Examines culture around data privacy

• Identify tools for overcoming attitudes
• Tailor and deliver culture change program
Phase 1: Develop
Phase 2: Implement
Phase 3: Improve
Work Culture will affect every aspect of the GDPR-compliance effort!
LAWS and Culture
Laws Define : Societal expectation of what is acceptable

- Values
- Attitudes
- Beliefs
- Society
- Industry
- Profession
GDPR and Culture
Organizational Awareness
Without the support of:
STAFF: Aware, Educated, Trained
Investments – Policies – Procedures - Technology
Page | 48
At best = minimized At worst = worthless
“Awareness and Education” No Specific mention of culture

CHAPTER IV: Controller and processor
Article 39 Tasks of the data protection officer
1. The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry
out processing of their obligations pursuant to this Regulation and to other Union or
Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data
protection provisions and with the policies of the controller or processor in relation to the
protection of personal data, including the assignment of responsibilities, awareness-
raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact
assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to
processing, including the prior consultation referred to in Article 36, and to consult,
where appropriate, with regard to any other matter.
2. The data protection officer shall in the performance of his or her tasks have due
regard to the risk associated with processing operations, taking into account the nature,
scope, context and purposes of processing.
CHAPTER V
Transfer of Personal Data to Third Countries or International Organizations
Article 47 Binding corporate rules
1. The competent supervisory authority shall approve binding corporate rules in
accordance with the consistency mechanism set out in Article 63, provided that they:
(a) are legally binding and apply to and are enforced by every member concerned of the
group of undertakings, or group of enterprises engaged in a joint economic activity,
including their employees;
(b) expressly confer enforceable rights on data subjects with regard to the processing of
their personal data; and
(c) fulfil the requirements laid down in paragraph 2.
2. The binding corporate rules referred to in paragraph 1 shall specify at least:
Page | 49
(a) the structure and contact details of the group of undertakings, or group of
enterprises engaged in a joint economic activity and of each of its members;
the data transfers or set of transfers, including the categories of personal data, the type
of processing and its purposes, the type of data subjects affected and the identification
of the third country or countries in question;
(c) their legally binding nature, both internally and externally;
(d) the application of the general data protection principles, in particular purpose
limitation, data minimisation, limited storage periods, data quality, data protection by
design and by default, legal basis for processing, processing of special categories of
personal data, measures to ensure data security, and the requirements in respect of
onward transfers to bodies not bound by the binding corporate rules;
(e) the rights of data subjects in regard to processing and the means to exercise those
rights, including the right not to be subject to decisions based solely on automated
processing, including profiling in accordance with Article 22, the right to lodge a
complaint with the competent supervisory authority and before the competent courts of
the Member States in accordance with Article 79, and to obtain redress and, where
appropriate, compensation for a breach of the binding corporate rules;
(f) the acceptance by the controller or processor established on the territory of a
Member State of liability for any breaches of the binding corporate rules by any member
concerned not established in the Union; the controller or the processor shall be exempt
from that liability, in whole or in part, only if it proves that that member is not responsible
for the event giving rise to the damage;
(g) how the information on the binding corporate rules, in particular on the provisions
referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in
addition to Articles 13 and 14;
(h) the tasks of any data protection officer designated in accordance with Article 37 or
any other person or entity in charge of the monitoring compliance with the binding
corporate rules within the group of undertakings, or group of enterprises engaged in a
joint economic activity, as well as monitoring training and complaint-handling;
(i) the complaint procedures;
(j) the mechanisms within the group of undertakings, or group of enterprises engaged in
a joint economic activity for ensuring the verification of compliance with the binding
corporate rules. Such mechanisms shall include data protection audits and methods for
ensuring corrective actions to protect the rights of the data subject. Results of such
verification should be communicated to the person or entity referred under point (h) and
to the board of the controlling undertaking of a group of undertakings, or of the group of
enterprises engaged in a joint economic activity, and should be available upon request
to the competent supervisory authority;
(k) the mechanisms for reporting and recording changes to the rules and reporting those
changes to the supervisory authority;
(l) the cooperation mechanism with the supervisory authority to ensure compliance by
any member of the group of undertakings, or group of enterprises engaged in a joint
economic activity, in particular by making available to the supervisory authority the
results of verifications of the measures referred to in point (j);
Page | 50
(m) the mechanisms for reporting to the competent supervisory authority any legal
requirements to which a member of the group of undertakings, or group of enterprises
engaged in a joint economic activity is subject in a third country which are likely to have
a substantial adverse effect on the guarantees provided by the binding corporate rules;
and
(n) the appropriate data protection training to personnel having permanent or
regular access to personal data.
3. The Commission may specify the format and procedures for the exchange of
information between controllers, processors and supervisory authorities for binding
corporate rules within the meaning of this Article. Those implementing acts shall be
adopted in accordance with the examination procedure set out in Article 93(2).
Culture will impact the effectiveness of your efforts to raise awareness - Culture
Influences behavior
What is Culture?
Defining “Culture”
 Consistent understanding ,
 Reduces the risk of confusion,
 Agreed point of reference,
 Approved by the Board.
Defining “Culture”
What is Culture?
“ the set of shared attitudes, values, goals, and practices that characterized an
institution or organization:”
‘The set of values, conventions, or social practices associated with a particular filed,
activity, or societal characteristic”
“A society’s shared and socially-transmitted ideas, values and perceptions, which are
used to make sense of experience and generate behavior, and are reflected in that
behavior”
Common Characteristics
Page | 51
Intangible Assets
Values Attitudes Beliefs
Tangible Assets
Artifcat Espoused Values
Visible Organizational Strategies

Structures
Process Goals
Procedures Philosophies
Policy Statement
GDPR Policy
The Heart of the Challlenge
The Heart of the Challenge of GDPR Compliance.
Formal and Informal
Page | 52
Interpreting Training
How will personal interpret the campaign?

Success
 “With sensitivity to local culture”
 Communication that appeals to everyone
 May not make an impact
Take time to understand audience on a deep level You are “SELLING” GDPR
compliance.
The Role of Culture Decision Making
Page | 53
• Subconscious
• Unconscious
• Biases
• Life Experiences
• Lessons Learned
Our Culture lenses
What role does culture play in GDPR compliance?

1. Recognize that culture exists
2. It can and will influence behavior
3. Even you have cultural bias
Cultural lens
 Organization Culture
 National Culture
 Industry Culture
 Other Subculture
How Values Influence Decisions
Cognitive Shortcuts
Page | 54
Short Cuts
• Cognitive Bias -
• -Heuristics
• Rules of Thumb
• Best Practices
• Common Sense
• Intuition
• Values -
A conflict of values can undo our hard work
Question: A culture can be formed in both formal and informal way. Which choices
below represent formal ways to shape company culture?
Answer: Published policy statements, Training sessions, Awareness raising campaigns
A company can formally shape the company culture by documenting statement of
policy, holding training sessions, and utilizing awareness-raising campaigns.
Attitudes and values are informal ways to shape the culture and often times will have
a much a bigger effect on the culture then formal efforts.
Question: Which of the following are ‘SHORTCUTS’ use when decision must be made
quickly, or under stress?
Page | 55
Answer: Cognitive bias, heuristics, intuition and vales to make decisions.
Short Cuts
• Cognitive Bias -
• -Heuristics
• Rules of Thumb
• Best Practices
• Common Sense
• Intuition
• Values -
Module 6: Implementation: From Policy to Operation
Operationalize data privacy management protection across the enterprise.
How to operationalize data privacy management protection across the enterprise by

embedding it into your processes and incorporating data protection and privacy in your
day-to-day operations.
• Identify the processes that can support GDPR efforts

• Decide the changes or enhancements required
• Revise, test and implement the processes
Introduction
 Processes
 Changes
 Enhancements
 Revise – Test – Implement
Incorporate data protection and privacy into day-to-day operations
Phase 2: Implement
set forth by GDPR. Two areas identified as particularly adding to the heavy
workload are Data Protection Impact Assessment and Subject Access Requests.
Page | 56
Companies need to scope out how they plan to do these, and they too are
subject to a RISK Assessment/maturity roadmap process.
• Refine the solutions necessary for improving data protection and ensuring
• Implement procedures to Detect, Report, and Investigate personal data
breaches.
• Test, deploy and QA all controls and solutions developed to
achieve compliance
• Operationalize the efforts of monitoring all data protection
controls created.
Phase 3: Improve
• Put GDPR efforts into maintenance/review/update mode
The CIA Triangle
Confidentiality: Ensure information is not available or disclosed to unauthorized

individuals, entities, or processes
Integrity: Maintain and assure accuracy and completeness of data over entire
lifecycle.
Avalibility: Ensure information is available when needed.
From Theory to Implementation
 Security policy documents

 Privacy statements
 Data Protection Impact Assessments (DPIA)
 Risk analysis
SECTION 2 SECURITY OF PERSONAL DATA
Article 32 Security of processing

1. Taking into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons, the controller and the processor
Page | 57
shall implement appropriate technical and organisational measures to ensure a level of
security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner
in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of
technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of
the risks that are presented by processing, in particular from accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to personal data
transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 or an approved
certification mechanism as referred to in Article 42 may be used as an element by which
to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and processor shall take steps to ensure that any natural person acting
under the authority of the controller or the processor who has access to personal data
does not process them except on instructions from the controller, unless he or she is
required to do so by Union or Member State law.
Article 33 Notification of a personal data breach to the supervisory

authority
1. In the case of a personal data breach, the controller shall without undue delay and,
where feasible, not later than 72 hours after having become aware of it, notify the
personal data breach to the supervisory authority competent in accordance with Article
55, unless the personal data breach is unlikely to result in a risk to the rights and
freedoms of natural persons. Where the notification to the supervisory authority is not
made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of
a personal data breach.
3. The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the
categories and approximate number of data subjects concerned and the categories and
approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other
contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address
the personal data breach, including, where appropriate, measures to mitigate its
possible adverse effects.
4. Where, and in so far as, it is not possible to provide the information at the same time,
the information may be provided in phases without undue further delay.
Page | 58
5. The controller shall document any personal data breaches, comprising the facts
relating to the personal data breach, its effects and the remedial action taken. That
documentation shall enable the supervisory authority to verify compliance with this
Article.
Article 34 Communication of a personal data breach to the data
subject
1. When the personal data breach is likely to result in a high risk to the rights and
freedoms of natural persons, the controller shall communicate the personal data breach
to the data subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 of this Article shall
describe in clear and plain language the nature of the personal data breach and contain
at least the information and the recommendations provided for in points (b), (c) and (d)
of Article 33(3).
3. The communication to the data subject referred to in paragraph 1 shall not be
required if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection
measures, and that those measures were applied to the personal data affected by the
personal data breach, in particular those that render the personal data unintelligible to
any person who is not authorised to access it, such as encryption;
(b) the controller has taken subsequent measures which ensure that the high risk to the
rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to
materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a
public communication or similar measure whereby the data subjects are informed in an
equally effective manner.
4. If the controller has not already communicated the personal data breach to the data
subject, the supervisory authority, having considered the likelihood of the personal data
breach resulting in a high risk, may require it to do so or may decide that any of the
conditions referred to in paragraph 3 are met.
Review:
Question: Article 33 state that controller shall notify the supervisory authority in the case
of a personal data breach without undue delay, and where feasible, not later than 72
hours.
Questions: Which of the following are conditions under which a controller would not
need to communicate with the data subject following a data breach?
Page | 59
Answer: Article 34, Paragraph 3 specifics that communication to the data subject shall
not be required, “if the controller for processor] has implemented appropriate
technical and organizational protection measure... that render the personal data
unintelligible to any person who is not authorized to access it, such as
ENCRYPTION,” and also if “the controller has taken subsequent measure which
ensure that high risk to the rights and freedom of data subject … is no long likely to
materialize.”
Data Encryption – Confidentiality
CONFIDENTIALITY: Data Encryption
Static Data, Highly Mobile Devices Remote Access

Sensitive
Medical data Laptops Devices with remote access
Sexual Data Tablets Login credentials
Religious data USB sticks Stored on hard disk
INTEGRITY Data Access Control
Unique user-IDs Access logs Least privilege Remote access to

data
Stringent password Auditing of access Enough access to VPNs
controls perform work
Multi-factor New users No extra privilges Secure
authentication monitored
Immediate Encrypted
suspension of
access when
employee leaves
Device encryption to
protect VPN access
credentials
Availability Data Backup and Business Continuity
Secure back-ups Continuous operation Contigency Plan

Rotational basis Power Availability of data
Fully documented HVAC Test and validate regularly
Page | 60
Local backups Major equipment
Off-site/Cloud backups
Review
Question: Which of the processes list belwo could be used to identify static data that is
highly senstive nature, such as medical history data?
Answer:
• Subject Access Reuqest
• Risk Assessmetn
• USB sticks
• Remote wipe
• Data Protection Impact Assessment (DPIA)
Question: In order to ensure the integrity of data held by your company, all access
must be stricly controlled. Which of the following are ways in which do that.
• Unique User IDs
• Stringent password controls
• Multi-factor authentication
• Access log
Question: Which factors must be considered in terms of ensuring the availablity of your
company’s data?
Answer:
• Secure backup systems
• Power supply for continuous operation, HVAC, and other major equipment
• Contingnecy plans
Staff Awareness and Training
Staff Awareness and Training

• Our duty towards personal data
• Why data security is important
• Training and Reminding
• Reporting lost or stolen devices
Endpoint Security
Endpoint Security
• Secured devices
• Antivirus protections
Page | 61
• All patches are up to date
• Encryption
• Remote wipe
Data Subject Access Request
Internal business processes
Defined > Documented > Tested

Subject Access Request > 30 days
Data Subject Bill of Rights
- Right to be informed
- Right of access
- Right to erasure
- Right to restrict processing
- Right to object
- Right in relation to automated decision making and profiling.
Module 7: Data Classification and Mapping
Building out documentation and data flow diagrams for all personal data.
The importance of understanding your data and explore how to create data flow
diagrams for all personal data that enters and leaves the organization.
• Examine your data and the process of performing an inventory of that data
• Learn to classify and organize data
• Draw up the data lifecycle and data flows for personal data Generating
Documentation and Data Flow Diagrams
Phase 3: Improve
• Move into a state of continuous Improvement

Page | 62
• Enhance controls and customer service to remain GDPR-compliant and build
trust and value with customers.
Introduction:
Data
Data Classification and Mapping
Objective
Primary Objective
1. Understand your data and the process of performing an inventory of data
2. Learn to classify and organize data
3. Generate documentation and data flow diagrams
The General Data Protection Regulation – is a legal act of the European Union now
enforceable in all Member States.
Its full title is “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND
OF THE COUNCIL of 27 April 2016 on the protection of NATURAL PERSON with
Page | 63
Articles 25, 30 and 35
Section 3 = Data protection impact assessment and prior consultation
Article 25: Data protection by design and by default

Article 30: Records of processing activities
 Purpose
 Description of categories
 Transfers
 Time limits
 Technical methods
 Organization methods
Article 35: Data Protection Impact Assessment
 Document details of the processing operations
 Purpose of processing
 Interest pursued by the controller
 Necessity and proportionality of the processing
 Completed for each method of data processing
Understanding your Data?
The process of creating data map is fundamental to understanding an

organization’s current resources of personal information.
GDPR – a Real Opportunity to Better Understand Your Data
Page | 64
 What data is held?
 Where is it located?
 How many distinct categories?
 Who has access?
 What is it being used for”
 What consent has been given?
Performing an Inventory
 Shareholder information
 Contact Information
 Legal contract data
 Trade Reporting
 Insurance
 Case records
 Charitable donors
• Pseudonymization
• Encryption
• Appropriate level of security
Data mapping process Essential for GDPR compliance + Significant

Operational benefit.
Once business understands its data resources, it has the chance to determine
Retaining Data
Just in Case Data

GDPR compliance is an excellent opportunity:
• Rationalize data retention strategies
• Minimize data volume
• Reduce data costs
Classification and Organization
1. General Data Protection Regulation

2. Data Secuirty Policy
3. Procedures
4. Data Classification Policy
Page | 65
70% Unstructured / ROT-ten Data
ROT-ten Data
Redundant R
Obsolete O
Trivial T
- Redundant
- Obsolete
- Trivial
Only store what you need For as long as you need
Remove what you don’t need
- Better indexing
- Faster access
- Quicker recovery
- Reduced risk
Data Classification Policy
Implementing & maintaining An active data classification policy
1. Discovery – Plan
Where is the data?
File auditing tools
Cloud-access security brokers (CASB)
Who’s using it?
Who has access?
Who is responsible for it?
2. Deletion – Do
What is the data?
What does the data contain?
Do you still need it?
ROT-ten data
R = Redundant
O = Obsolete
T = Trivial
Keep a record of deletions
Accountability is a key GDPR Principle
Page | 66
3. Classification – Do
What is the data classification scheme?
Situational
Specific
Generic
Headers & Footers
Watermarks
Visible labeling
Tools help to automate this and will frequently be able to help with the
data discovery piece.
4. Monitoring – Check
Implement Appropriate Controls
Data Loss Prevention (DLP)
Supervisory Authority (SA)
What data has been lost?
How was the data lost?
What is being done?
5. Review – Act
Constant review & adjustment

Server Rack
Instruments
Security
Network
Cloud Storage
Updates
Question: Statistics indicate that anything up to 70% of unstructured data on network

could be consider ROT-ten. What does ROT-ten stand for? Redundant, Obsolete,
Trivial
Earlier, we described five steps for implementing and maintain an active data
classification
Chapter 1 General Provisions
Article 4: Definitions For the purpose of this Regulation:
Page | 67
(5) ‘PSEUDONYMISATION’ means the processing of personal data in such a
manner that the personal data can no longer be attributed to a specific data
subject without the use of additional information, provided that such additional
information is kept separately and is subject to technical and organizational measure to
ensure that the person data are not attributed to an identified or identifiable natural
person.
Documentation and Data Flow Diagrams
Chapter V Transfer of Personal Data to Third Countries or International

Organizations
Article 45: Transfers on the basis of an adequacy decision –– A transfer of personal
data to a third country or international organization can occur if the Commission has
decided the country or organization can ensure an adequate level of protection.
Page | 68
Article 46: Transfers subject to appropriate safeguards –– If the Commission has
decided it can’t ensure an adequate level of protection, a controller or processor can
transfer personal data to a third country or organization if it has provided appropriate
safeguards.
Information flow: The transfer of information from one location to another.

Examples:
Inside of EU To Outside of EU
Suppliers > Sub-Suppliers > Company > Customers
Data Lifecycle
1. Collect
2. Process
3. Store
4. Transmit
5. Delete
Identifying the Key Elements
Data Classification and Mapping
Page | 69
- Information Flow
- Understood
- Well-described on Paper
- Translated into Data Flow Diagram
9. What kind of data is being processed?

10. What category does it fall into?
11. In what format do you store the data?
12. How do you collect the data?
13. How do you share it internally and externally?
14. What locations are involved within the data flow?
15. Who is accountable for the personal data?
16. Who has access to the data?
To effectively map your data, you need to understand the information flow, describe it
and identify its key elements.
Which of the following are good reason to purge your company’s ‘just in case’ and
‘ROT-ten’ data?
 To minimize the data volumes
 To allow for faster indexing
 To allow for quicker recovery following a breach
 To reduce risk in the case of a breach
Page | 70
There are five steps to implement and maintain an active data classification policy.
Discovery – Plan Where is the data?
Deletion – Do what is the data?
Classification – Do what is the data classification scheme?
Monitoring – Check Implement Appropriate Controls
Review – Act Constant review & adjustment
Page | 71
Module 8: Data Protection Impact Assessment:
Complement to Risk Management
Integrating the data protection impact assessment (DPIA) into risk

management.
The value of integrating the data protection impact assessment (DPIA) required under
GDPR into the enterprise risk management process to prioritize efforts and manage the
highest risk to the organization's data first.
• Examine the data protection impact assessment (DPIA) under the GDPR
• Determine how to integrate DPIA into risk management.
• Define, implement and maintain a DPIA approach.
Introduction:
Data Protection Impact Assessment
Conduct Risk assessment <- Identify Personal Data > Prioritize efforts
V V
Identify Processing systems Highest-risk areas

Phase 2: Implement
set forth by GDPR. Two areas identified as particularly adding to the heavy
workload are Data Protection Impact Assessment and Subject Access Request.
Companies need to scope out how they plan to do these, and they too are
subject to a risk assessment /maturity roadmap process.
• Refine the solution necessary for improving data protection and ensuring
adherence to requirements and regulation.
Page | 72
• Implement procedures to Detect, Report, and Investigate personal data breaches
• Test, Deploy, and QA all controls and solution developed to achieve compliance
• Operationalize the efforts of monitoring all data protection controls created.
Phase 3: Improve
• Move into a state of continuous improvement
• Enhance controls and customer service to remain GDPR-compliant and build
trust and value with customers.
Article 35 Data protection impact assessment

1. Where a type of processing in particular using new technologies, and taking into
account the nature, scope, context and purposes of the processing, is likely to result in
a high risk to the rights and freedoms of natural persons, the controller shall, prior to
the processing, carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data. A single assessment
may address a set of similar processing operations that present similar high risks.
2. The controller shall seek the advice of the data protection officer, where designated,
when carrying out a data protection impact assessment.
3. A data protection impact assessment referred to in paragraph 1 shall in particular be
required in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural
persons which is based on automated processing, including profiling, and on which
decisions are based that produce legal effects concerning the natural person or similarly
significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or
of personal data relating to criminal convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
4. The supervisory authority shall establish and make public a list of the kind of
processing operations which are subject to the requirement for a data protection impact
assessment pursuant to paragraph 1. The supervisory authority shall communicate
those lists to the Board referred to in Article 68.
5. The supervisory authority may also establish and make public a list of the kind of
processing operations for which no data protection impact assessment is required. The
supervisory authority shall communicate those lists to the Board.
6. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent
supervisory authority shall apply the consistency mechanism referred to in Article 63
where such lists involve processing activities which are related to the offering of goods
Page | 73
or services to data subjects or to the monitoring of their behaviour in several Member
States, or may substantially affect the free movement of personal data within the Union.
7. The assessment shall contain at least:
(a) a systematic description of the envisaged processing operations and the purposes of
the processing, including, where applicable, the legitimate interest pursued by the
controller;
(b) an assessment of the necessity and proportionality of the processing operations in
relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in
paragraph 1; and
(d) the measures envisaged to address the risks, including safeguards, security
measures and mechanisms to ensure the protection of personal data and to
demonstrate compliance with this Regulation taking into account the rights and
legitimate interests of data subjects and other persons concerned.
8. Compliance with approved codes of conduct referred to in Article 40 by the relevant
controllers or processors shall be taken into due account in assessing the impact of the
processing operations performed by such controllers or processors, in particular for the
purposes of a data protection impact assessment.
9. Where appropriate, the controller shall seek the views of data subjects or their
representatives on the intended processing, without prejudice to the protection of
commercial or public interests or the security of processing operations.
10. Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in
Union law or in the law of the Member State to which the controller is subject, that law
regulates the specific processing operation or set of operations in question, and a data
protection impact assessment has already been carried out as part of a general impact
assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not
apply unless Member States deem it to be necessary to carry out such an assessment
prior to processing activities.
11. Where necessary, the controller shall carry out a review to assess if processing is
performed in accordance with the data protection impact assessment at least when
there is a change of the risk represented by processing operations.
Article 35: Data protection impact assessment
1. Where a type of processing in particular using a new technologies, and taking

into account the nature, scope, context and purpose of the processing, is likely to
result in a high risk to rights and freedoms of Natural Person, the controller shall,
prior to the processing, carry out an assessment of the impact of the envisaged
processing operation on the protection of personal data. A single assessment
may address a set of similar processing operations that present similar high
risks.
What constitutes new technologies? That is open to interpretation.
Page | 74
Controllers must prove processing can be excluded.
Keep records of all decisions
• Secuirty professional
• Use risk management
• To help assess the risk
• To rights and freedoms
Assessing Risk to Rights and Freedoms
Risk to Rights and Freedoms

Risk assessment may require specialist input
- Review rights and freedoms
- Determine if a high risk exists
- If risky, Data Protection Impact Assessment must be carried out
- Keep records of risk assessment
Role of the Data Protection Officer

2. The controller shall seek the advice of the data protection officer, where
designated, when carrying out a data protection impact assessment.
Risky Activities

3. A data protection impact assessment referred to in paragraph 1 shall in particular be
required in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural
persons which is based on automated processing, including profiling, and on which
decisions are based that produce legal effects concerning the natural person or similarly
significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or
of personal data relating to criminal convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
A data protection impact assessment (DPIA) will need to be completed for:

A DPIA will need to be conducted for each method of data processing used by your
organization, depending on risk to the rights and freedoms of the data subject. And as
the technology changes, the DPIA will need to be revised.
Page | 75
A data protection impact assessment:
The DPIA can and should be integrated into your existing risk management process.

Article 35, Paragraph 2: The controller shall seek the advice of the data protection
officer, where designated, when carrying out a data protection impact assessment.
Article 35, Paragraph 3:

2. A data protection impact assessment referred to in Paragraph 1 shall in particular
be required in the case of:
(a) A systematic and extensive evaluation of personal aspect relating to natural
persons which is bade on automate processing, including profiling, and on
which decisions are based that produce legal effects concerning the natural
person or similarly significantly affect the natural person
(b) Processing on large scale of special categories of data referred to in Article
9(1) or of personal data relating to criminal conviction and offences referred to
in Article 10 or
(c) A systematic monitoring of a publicly accessible area on large scale.
 Review rights and freedoms

 Determines if high risk exists
 If risky, Data protection impact assessment must be carried out
 Keep records of risk assessments
Supervisory Authorities
4. The supervisory authority shall establish and make public a list of the kind of
processing operations which are subject to the requirement for a data protection impact
assessment pursuant to paragraph 1. The supervisory authority shall communicate
those lists to the Board referred to in Article 68.
5. The supervisory authority may also establish and make public a list of the kind of
processing operations for which no data protection impact assessment is required. The
supervisory authority shall communicate those lists to the Board.
6. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent
supervisory authority shall apply the consistency mechanism referred to in Article 63
Page | 76
where such lists involve processing activities which are related to the offering of goods
or services to data subjects or to the monitoring of their behaviour in several Member
States, or may substantially affect the free movement of personal data within the Union
The supervisory authority shall establish and make public a list of the kind of
processing operations which are subject to requirement…
The supervisory authority may also establish and make public a list of the kind of
processing operation for which no data protection impact assessment is required.
Prior to the adoption of the lists referred in Paragraphs 4 and 5, the competent
supervisory authority shall apply the consistency mechanism…
Controller may have to meet requirements of other supervisory

authorities.
Structure of the DPIA

The assessment shall contain at least:
(a) A systematic description of the envisaged processing operation and the purpose
of the processing, include where applicable, the legitimate interest pursued by
the controller.
(b) An assessment of the necessity and proportionality of the processing
operation in relation to the purpose;
(c) An assessment of the risk to the right and freedoms of data subject referred in
Paragraph 1; and
(d) The measures envisaged to address the risks, including safeguards, security
measures and mechanisms to ensure the protection of personal data and to
demonstrate compliance with this Regulation taking into account the rights and
legitimate interests of data subject and other person concerned
(the rights ---Measurement taken must be recorded in DPIA)
Why is data being processed?
What is the legitimate interest?
 Required,
 Proportionate,
Page | 77
 Corresponds to Article 5, P1.
Risk to rights and freedom
Controller shall record within DPIA.
Question: Data Protection officer will decide whether and how to perform a DPIA?
Answer: The DPO does not necessarily have to consult on whether or not to perform
the DPIA.
Codes of Conduct

(8) Compliance with approved codes of conduct referred to in Article 40 by relevant
controllers or processors shall be taken into due account in assessing the impact of the
processing operation performed by such controllers or processors, in particular for the
purpose of a data protection impact assessment.
A Living Document

11. When necessary, the controller shall carry out review to assess if processing is
performed in accordance with the data protection impact assessment at least when
there is a change of the risk represented by processing operation.
Prior to processing > Update when changes occurs > A living document > Article 35,
P11
An Iterative Process
Article 35: Data protection impact assessment Life Cycle

1. Description of the proposed processing
2. Assessment of the necessity and proportionality
3. Measurement of processing to demonstrate compliance
4. Assessment of risk to rights and freedoms
5. Measurement of processing address the risks
6. Documentations
7. Monitoring and review
Page | 78
Question: When should the Data protection impact assessment be carried out?
Answer:
 The DPIA should be carried out prior to the processing of personal data.
 Again whenever changes occur in the processing of technologies used to
perform processing are changed.
 And while you should strive to be compliance with this regulation by May 25,
2018, the data protection impact assessment documents will need to be updated
regularly.
Question: How and why you will need to build a Data protection impact assessment.
Answer: Data Collection within your organization
Question: How data is collected and processed?
Answer: Integrate Data protection impact assessment into risk assessment process.
Page | 79
Page | 80

GDPR Study Notes PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GDPR Study Notes PDF

Uploaded by

Copyright:

Available Formats

General Data Protection Regulation.

All data are not created Equal

Its full title is “REGULATION (EU) 2016/679 OF THE EUROPEAN

Structure of the General Data Protection Regulation (GDPR)

What constitutes personal data?

Data mapping process Essential for GDPR compliance + Significant Operational

 What data is held?

Article 9: Processing special categories of personal data –– Processing personal

“The process of creating this data map is fundamental to understanding an

Data mapping process Essential for GDPR compliance + Significant Operational

What about Data Subjects under the age of 16?

Data Subject Rights

Module 1: Setting the Strategy: An Organizational Commitment

• Distinguish roles and responsibilities for GDPR compliance.

Settings the Strategy: An Organization Commitment

General Data Protection Regulation (GDPR) : An Organizational Commitment

Structure of the General Data Protection Regulation (GDPR)

Chapter 3 RIGHTS OF THE DATA SUBJECT

Chapter 5 TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR

Chapter 6 INDEPENDENT SUPERVISORY AUTHORITIES

Chapter 8 REMEDIES, LIABILITY AND PENALTIES

Chapter 9 PROVISIONS RELATING TO SPECIFIC PROCESSING SITUATIONS

Chapter 11 FINAL PROVISIONS

CHAPTER 3 RIGHTS OF THE DATA SUBJECT

CHAPTER 4 CONTROLLER AND PROCESSOR – This chapter covers the general

CHAPTER 5 TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR

CHAPTER 6 INDEPENDENT SUPERVISORY AUTHORITY – This chapter requires

CHAPTER 8 REMEDIES, LIABILITY, AND PENALTIES – This chapter covers the

CHAPTER 9 PROVISIONS RELATING TO SPECIFIC PROCESSING SITUATIONS –

CHAPTER 10 DELEGATED ACTS AND IMPLEMENTING ACTS

CHAPTER 11 FINAL PROVISIONS - This chapter explains the relationship with

A Business Issue: Organization/Controller: Meet principles & Demonstrate

The decision may lie with marketing, shipping, or finance.

Decision and Details:

Chapter 3: Right of the Data Subject

Chapter Four IV: Controller and Processor

DETECT and REACT without UNDUE DELAY

Chapter 8 VIII: Remedies, liability and Penalties

Module 2: Organizational Awareness

Personal Data is Everyone’s Responsibility

You should be able to construct a GDPR Internal Awareness Plan.

Personal Data is Everyone’s Responsibility

Without the support of Staff: Aware – Educated – Trained

Proven techniques and approaches

AIMS and Objectives of GDPR

To monitor compliance Protection of personal data, including

Chapter VIII: Remedies, Liability and penalties

Article 83: General conditions for imposing administrative fines –– Each

Article 83; General conditions for imposing administrative fines

Article 83 General conditions for imposing administrative fines

Data Subject Rights Transferring Personal Data

Article 12- 22 Article 44-49

GDPR is Everyone’s Responsibility (TOP – DOWN)

Module 3: Data Protection by Design and by Default

Article 25 Data protection by design and by default

How can we build data

By incorporating data By knowing the business

• Examine how to incorporate data protection in all applications and services.

Data Protection by Design and Default

Data Protection by Design and by Default

Paragraph 1: Data Protection by Design and During Processing

- Sate of the Art

State of the Art