Professional Documents
Culture Documents
PROTECTION
REGULATION (GDPR)
What does GDPR want?
■ Protection of personal data and
privacy of EU citizens
■ Restriction on export of
personal data outside the EU
Areas protected by GDPR.
When?
■ The regulation was adopted on 27 April, 2016
■ Companies must be able to show compliance by 25 May, 2018
What data does GDPR protect?
■ Personally identifiable information (PII) is any data that can
be used to identify a specific individual, such as:
■ Basic identity information – name, address and ID numbers, and
email addresses
■ Web data – location, IP address, cookie data, RFID tags, login IDs,
social media posts, or digital images, geolocation, biometric, and
behavioral data
■ Health and genetic data
■ Biometric data
■ Racial or ethnic data
■ Political opinions
■ Sexual orientation
The rights of a data subject
Any resident of EU can demand the following:
■ Right to access – find out what information about him or her you
hold, where did it come from, when it was used and who all used
it.
■ Right to be forgotten – ask for all records – and all traces of
him/her be removed. This applies when:
■ The personal data is no longer necessary in relation to the purpose for
which it was collected
■ The individual specifically withdraws consent to processing
■ Personal data has been unlawfully processed
■ The data must be erased in order for a controller to comply with legal
obligations (for example, the deletion of certain data after a set period
of time)
GDPR – algorithms and analytics
■ GDPR will have a significant effect on data capture by
algorithms or for the purpose of analytics
■ In order to use personal data:
■ Data controllers and processors must implement new technical
measures to ‘pseudonymise’ data to reduce the risk of
unauthorized re-identification
■ Data Protection by Default requires data protection to be applied
at the earliest opportunity and requires that steps be affirmatively
taken to make use of personal data
GDPR and automated decision making
■ Article 22 of the regulation
restricts the use of intelligent
algorithms in decision making
and profiling of individuals
■ E.g. Bail, immigration, etc.
Who will be responsible for compliance?
■ Data Controller – is the
user/consumer of the personal data
– a company that wants to act on it
■ Data Processors – the company or
an outsourced partner – who seeks
and works on the data – as a service
provider to the Data Controller
■ Data Protection Officer – an
appointed officer responsible for
responding to all queries and
insuring compliance. Could be an
internal officer or an external
consultant
Which companies does this apply to?
Any company that stores or processes personal information
about EU citizens within EU states that has:
■ A presence in an EU country
■ No presence in the EU, but it processes personal data of
EU residents
■ More than 250 employees
■ Fewer than 250 employees but its data-processing
impacts the rights and freedoms of data subjects.
Information companies must provide
■ Article 13 of the regulation tells us the information to give:
■ Details about the data controller
■ Contact details about the controller’s Data Protection Officer, such as a
generic email address dataprotection@company.com
■ What processing is done and the legal basis for doing it
■ Who data will be passed on to
■ How data is protected if it is passed or stored outside the EU
■ How long data is retained
■ How to exercise the right to have data erased, probably through a
generic email address such as dataprotection@company.com.
■ A ‘self-service’ area on a website for individuals to maintain the personal
data they have provided
The internet is notorious for providing all kinds of personal data in this day and
age. Rampant use of which, makes it difficult to safeguard this very data.
What if you are not GDPR compliant?
■ Steep penalties of up to €20 million or 4 percent of
global annual turnover, whichever is higher, for non-
compliance
6 steps to GDPR 6 – Revise and repeat
5–