understanding the eu's new general data protection regulation (gdpr)
TRANSCRIPT
Understanding the EU's new General Data Protection Regulation (GDPR)
GDPR at Acquia
“Acquia is well positioned to meet the GDPR requirements by the May 2018 deadline. We are building on work we have done to obtain and
maintain our EU-U.S. Privacy Shield framework certification, as well as our work with customers around the EU model clauses that Acquia
has also implemented.
We’re focused not only on meeting our own obligations, but also on providing the tools that our customers will need to help them meet
their obligations under GDPR as well.”
Who am I
Tassos Koutlas, PhDUK Technical Director, FFW
Have been working in technology for 15 years
- Drupal and the web- Machine learning and machine vision- Devops
Contents
● Context
● Definitions
● Principles
● Rights
● Penalties
● How to prepare
European law has two types of legislation:
1. Directives - Member states implement2. Regulations - Immediately applicable
EU GDPR is a regulation.
1981 - EU Treaty 108 - 8 principles for protecting personal data
1995 - EU Data Protection Directive (95/46/EC)
1998 - Human Rights Act (HRA 1998) - Art. 8 right to privacy
2016 - EU GDPR approved, law in 2 years
Context
Definitions
Subject matter
Rules relating to the protection of natural personswith regards to the processing of personal data.
Processing means any operation or set of operations which is performed on personal data.
Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Natural person is a living individual.
Personal data is any information relating to an identified or identifiable natural person ('data subject').
Name, identification number, location data, an online identifier or any factor specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Controller
Determines the purposes and means of the processing of personal data.
It can be a natural or legal person, public authority, agency or other body which.
It can act alone or jointly with others.
FFW and Acquia are controllers on the data they are collecting regarding their marketing activities.
Processes personal data on behalf of the controller.
It can be a natural or legal person, public authority, agency or other body.
FFW and Acquia are processors for other parties as part of their services.
Processor
Consent
It signifies agreement to the processing of personal data.
It must be freely given and must give a specific, informed and unambiguous indication of the data subject's wishes.
It must be by a statement or by a clear affirmative action.
Principles
Privacy by design
GDPR enforces the concept of data protection by design and by default.
Businesses and organisations need to adhere to a few principles with regards to the personal data they are processing.
It is stated explicitly within the law that organisations are responsible and should be able to demonstrate compliance with those principles.
Six principles
Six principles are mentioned with regards to personal data.
1. Should be processed lawfully, fairly and in a transparent way.
2. Should be collected for specified, explicit and legitimate purpose.
3. Should be kept up to date.
4. Should be limited to what is necessary.
5. Should not allow identification of people for longer than necessary.
6. Should be processed in a way that ensures appropriate security.
An example
Requiring consent to exhibit the lawfulness of processing personal data (principle 1).
- Consent was freely given, specific, informed and unambiguous.
- It was a positive opt-in
- The person was informed that she can withdraw consent at any time.
Compliance:
- Clear privacy notice and terms and conditions, opt-in rather than opt-out
- Ability for people to withdraw consent
Asking for feedback through a form via the website capturing the email of a person.
Under GDPR an email is personal data.
Principle 6: Should be processed in a way that ensures appropriate security.
Compliance:
- SSL and HTTPS traffic only through the website
- Firewall policy for the database server- Access controls for people accessing the
network
Another example
Rights
Rights
The following are mentioned with regards to personal data.
Appropriate measures (processes, procedures and training) to allow people to exercise those rights.
All forms of communication would need to be in a concise and easily accessible form using clear and plain language.
Legal based documents would need to be revised so they are more accessible by the general public.
the right to be informed;
the right of access;
the right to rectification;
the right to erasure (right to be forgotten);
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated decision-making including profiling
An example
In May 2015 the EU Court of Justice ruled: search engines are responsible to the content they point to and thus they need to comply with EU privacy law.
Google was asked to comply with the right to be forgotten.
- Created the framework to remove search results from EU index
- Created the process for people to request removal
Establish processes, procedure and staff training to deal with people exercising their rights.
Penalties
Low
Fine up to 10,000,000 EUR or 2% of total worldwide turnover, whichever is higher.
- Child consent- Processing not requiring identification- Data protection by design and by default- Joint controllers- Representative of controllers not
established in EU- Processing- Cooperation with supervisory authority- Data security- Notifications of breaches to supervisory
authority- Communication of breaches to data
subjects
Fine up to 20,000,000 EUR or 4% of total worldwide turnover, whichever is higher.
- Principles relating to the processing of
personal data
- Lawfulness of processing
- Conditions of consent
- Processing of special categories of data
personal data (i.e. sensitive data)
- Data subjects rights
- Transfers to third countries
- Access to supervisory authority
- Order/limitations on processing or the
suspension of data flows
High
How to prepare
Steps to prepare
Awareness
Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Privacy information
Review your current privacy notices and put a plan in place to make any necessary changes.
Information audit
Document what personal data you hold, where it came from and who you share it with.
Individual’s rights
Check procedures to ensure they cover all the rights individuals have (e.g. how to delete personal data, or provide data electronically in a common used format)
Steps to prepare
Data breaches
Procedures to detect, report and investigate a personal data breach
Data protection by design and data protection impact assessments
Familiarise with latest guidance from Article 29 Working Group and how to implement Privacy Impact Assessments for your organisation (or talk to us at FFW about it).
Access requests
Update procedures and plan how to handle requests within the timescales.
Lawful basis of processing
Identify your lawful basis of processing, document it and update privacy notice to explain it.
Children
Do you need to put systems in place to verify individual’s ages and obtain parental or guardian consent?
Steps to prepare
Data protection officers
Designate someone (within your organisation or some legal entity) to take responsibility for data protection compliance. Asses where the role will sit within the organisational structure.
International
If your organisation operate in more than one Member State determine your lead data protection supervisory authority
Organisations not established in EU
Designate in writing a representative in EU.
Case study - Hotjar
Thoroughly research the areas of our product and our business impacted by GDPR - COMPLETE
Appoint a Data Protection Officer - COMPLETE
Rewrite our Data Protection Agreement -COMPLETE
Develop a strategy and requirements for how to address the areas of our product impacted by GDPR - COMPLETE
Perform the necessary changes/improvements to our product based on the requirements - IN PROGRESS
Case study - Hotjar
Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR - IN PROGRESS
Thoroughly test all of our changes to verify and validate compliance with GDPR - IN PROGRESS (being done incrementally as changes are completed)
Finalize and communicate our full compliance - TO BE ANNOUNCED
Final Thoughts
To prepare for GDPR, you must understand which data you create, where and how you process and finally store it.
Only then, you will be able to take the right actions to comply with the new regulations. Acquia and FFW are ready to support you on this journey.
Questions