GENERAL DATA

PROTECTION
REGULATION (GDPR)
What does GDPR want?
■ Protection of personal data and
privacy of EU citizens
■ Restriction on export of
personal data outside the EU
Areas protected by GDPR.
When?
■ The regulation was adopted on 27 April, 2016
■ Companies must be able to show compliance by 25 May, 2018
What data does GDPR protect?
■ Personally identifiable information (PII) is any data that can
be used to identify a specific individual, such as:
■ Basic identity information – name, address and ID numbers, and
email addresses
■ Web data – location, IP address, cookie data, RFID tags, login IDs,
social media posts, or digital images, geolocation, biometric, and
behavioral data
■ Health and genetic data
■ Biometric data
■ Racial or ethnic data
■ Political opinions
■ Sexual orientation
The rights of a data subject
Any resident of EU can demand the following:
■ Right to access – find out what information about him or her you
hold, where did it come from, when it was used and who all used
it.
■ Right to be forgotten – ask for all records – and all traces of
him/her be removed. This applies when:
■ The personal data is no longer necessary in relation to the purpose for
which it was collected
■ The individual specifically withdraws consent to processing
■ Personal data has been unlawfully processed
■ The data must be erased in order for a controller to comply with legal
obligations (for example, the deletion of certain data after a set period
of time)
 GDPR – algorithms and analytics
■ GDPR will have a significant effect on data capture by
algorithms or for the purpose of analytics
■ In order to use personal data:
■ Data controllers and processors must implement new technical
measures to ‘pseudonymise’ data to reduce the risk of
unauthorized re-identification
■ Data Protection by Default requires data protection to be applied
at the earliest opportunity and requires that steps be affirmatively
taken to make use of personal data
 GDPR and automated decision making
■ Article 22 of the regulation
restricts the use of intelligent
algorithms in decision making
and profiling of individuals
■ E.g. Bail, immigration, etc.
Who will be responsible for compliance?
■ Data Controller – is the
user/consumer of the personal data
– a company that wants to act on it
■ Data Processors – the company or
an outsourced partner – who seeks
and works on the data – as a service
provider to the Data Controller
■ Data Protection Officer – an
appointed officer responsible for
responding to all queries and
insuring compliance. Could be an
internal officer or an external
consultant
Which companies does this apply to?
Any company that stores or processes personal information
about EU citizens within EU states that has:
■ A presence in an EU country
■ No presence in the EU, but it processes personal data of
EU residents
■ More than 250 employees
■ Fewer than 250 employees but its data-processing
impacts the rights and freedoms of data subjects.
Information companies must provide
■ Article 13 of the regulation tells us the information to give:
■ Details about the data controller
■ Contact details about the controller’s Data Protection Officer, such as a
generic email address dataprotection@company.com
■ What processing is done and the legal basis for doing it
■ Who data will be passed on to
■ How data is protected if it is passed or stored outside the EU
■ How long data is retained
■ How to exercise the right to have data erased, probably through a
generic email address such as dataprotection@company.com.
■ A ‘self-service’ area on a website for individuals to maintain the personal
data they have provided
The internet is notorious for providing all kinds of personal data in this day and
age. Rampant use of which, makes it difficult to safeguard this very data.
What if you are not GDPR compliant?
■ Steep penalties of up to €20 million or 4 percent of
global annual turnover, whichever is higher, for non-
compliance
6 steps to GDPR 6 – Revise and repeat

5–

Assess and document additional

risks and processes
4 – Privacy and Data Protection Impact
Assessment of policies by evaluating data life
cycles from origination to destruction points
3 – Classify data that can directly or indirectly identify an
EU citizen, then determine its relevance
2 – Create a Data Register, a GDPR diary to maintain proof of the
companies GDPR process
 GDPR and data capture
■ Each time you request data, consent is required, especially, if the data is
being processed for different purposes
■ A single consent does not cover all instances of data capture
■ Businesses will no longer be able to rely on opt-out processes or implicit
consent
■ Inaction on the part of a user does not assume consent
■ Clear, plain language needs to be used every time data is requested
■ To gain consent, companies need:
■ A written statement – including by electronic means
■ An oral statement
■ Ticking of a box on a website
■ Choosing technical settings for information society services
GDPR and data capture
■ Consent should be verifiable, so data controllers will need to keep
detailed records to prove a user has ‘opted-in’ and consented.
■ To stay on the right side of the law, companies will need to:
■ Get valid consent for use of any personal data, with an affirmative act by
the subject
■ Explain how and why data will be processed in any given circumstance
■ Re-obtain consent if the processing methods change or use of that data
alters
■ Provide records of consent and access to the data that has been captured
upon request
Making your organisation GDPR compliant
■ Identify what personal data you have and where it is
■ Logging all use of personal data is extremely important
■ Control the manner in which personal data is accessed and
used
■ Implement measures to prevent, detect, and respond to
vulnerabilities in the system and to data breaches
■ Maintain documentation and handle requests for personal
data and notification of breaches
■ Set up a process for ongoing assessment
Sources
■ https://www.csoonline.com/article/3202771/data-protection/general-data-protection-
regulation-gdpr-requirements-deadlines-and-facts.html
■ https://www.eugdpr.org/
■ https://gdpr-info.eu/
■ http://ec.europa.eu/justice/data-protection/reform/index_en.htm
■ http://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know-8
■ https://www.csoonline.com/article/3239786/regulation/6-steps-for-gdpr-compliance.html
■ https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
■ https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-
assessment/getting-ready-for-the-gdpr/
■ https://gowlingwlg.com/GowlingWLG/media/UK/pdf/170630-gdpr-checklist-for-
compliance.pdf
■ https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-
assessment/data-controllers/
■ https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-
assessment/data-processors/
THANK YOU
Questions?