What is GDPR

What is GDPR?

GDPR stands for General Data Protection Regulation. It is a regulation in EU law on data protection and privacy of European Citizens residing in European Union. It has a global reach with tough sanctions for non-conformance. It is all about providing assurances and rights to EU Citizens residing in EU, whose data is being collected by businesses to deliver a service or product.

  • GDPR stands for General Data Protection Regulation
  • It has evolved from Data Protection Directive, which came out in 1995
  • Adopted in April 2016 with a two year grace period, which means that by May 2018 Compliance has to be in place.
  • Address modern use of data
  • Respect the individual’s right to their personal data

Cost of non-compliance

  • Major: €20 million or 4% of annual global revenue, whichever is higher
  • Minor: €10 million or 2% of annual global revenue, whichever is higher
  • GDPR Article 83 explains the details

Parties involved

  • Data Controller: Entity Collecting Data
  • Data Processor: Entity processing data for the data controller
  • Data Subject: Entity whose data is being collected by Data Controller to provide a service
  • Data Protection Officer: Entity responsible for an organization to ensure data protection controls and necessary governance is in place.

Data types

Personal Data – Ability to identify an individual from the data

  • IP Address
  • Email address
  • Address
  • etc.

Special categories of Personal Data

  • Date of birth
  • Religion
  • Gender
  • Personal lifestyle/affiliations
  • Genetic
  • Race
  • Ethnicity
  • Health, etc

Rights of the Data Subject

  • Consent
  • Access
  • Deletion
  • Modification
  • Portability
  • Not to be subject to automatic data profiling

Breach notification

  • Data Processor: Immediately notify Data Controller
  • Data Controller: notify the authorities and Data Subjects of the breach within 72 hours

How am I impacted?

  • If you are a business operating anywhere in the world and are collecting information about EU citizens residing in EU, then you have to comply with GDPR.
  • Data subjects can be:
    • Your employees
    • Customers
  • In Canada compliance to PIPEDA is not enough
  • In United States compliance with state, regulations are not enough

Planning & Assessment

  • Thorough assessment and understanding of data subject information:
    • Where is it stored?
    • Which data elements are being collected?
    • What is the purpose of data collection?
  • Assign a Data Privacy Officer to provide proper guidance and governance oversight

Implementation

  • Implement policies, procedures, and governance mechanisms that address:
    • Tracking of explicit consent at every stage, ie, when the customer agrees to provide their data and when they revoke access to their data
    • Collect only the information that is necessary to provide the required service
    • Breach notification for both the Data Collector and Data Processor
    • How to serve Data Subjects’ requests to:
      • Delete their information
      • Update their information for accuracy
      • Move their data
    • Controls to protect the data in storage and transmission
    • Privacy by design

Other Mediums to listen on