Skip to content

Instantly share code, notes, and snippets.

@mebinum

mebinum/GDPR.md

Last active June 24, 2021 04:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mebinum/818fd1fe0d354fa617be85e76bc2f82a to your computer and use it in GitHub Desktop.
Save mebinum/818fd1fe0d354fa617be85e76bc2f82a to your computer and use it in GitHub Desktop.
Download ZIP
Understanding GDPR
Raw
GDPR.md

#GDPR

GDPR - General Data Protection Regulation

EU's legislation to strengthen data protection regulations.

What is covered

  • Describe the scope of GDPR
  • Key GDPR personal data protection terms
  • Principles governing personal data protection
  • Key GDPR policies
  • Penalities for violating GDPR

Data protection personal information is collected by all companies, could be an email address, postal information

need to protect that data from data breaches

Data breach - unauthorise expoer of stroed prsonal data,ccause damage that can lead to identity theft/acces to banking and other highly sensitive online accounts.

Data breaches examples

  • Microsoft

Cost of data breaches

  • Poneman cost of data breachs tuffyd rise to 3.92 million

Legal Effect of GDPR

Before GDPR EU member states rgulated ata pricivna under 1995 Dat aprotection directive

Since may 2018 - GDPR is enforceable in all EU member states.

GDP EU rgulation vs direction, means it applicable to all states without the need for national legisaltion.

some stats have howeve rpassed local data privary laws

GDP applies to any firm in established in the EU even if firm outsources data processing to non-EU entity

GDPR applies to you in you not in the EU and

  • you offer goods or services to idniviaulda in the EU
  • monitor the behaviour of those indivuals within EU

Reach of GDPR

  • rogs oeprating in EU orgs serving data contraollers who are based in the EU (what doe sthat mean?) or that deal with EU personal data
  • orgs outside EU proving goods and services to individudals in the EU

GDPR is to protect personal data

Personal data

  • personal data relates to an identified or identiabl indivudla akak "data subject"

could be subjects name, gov ID #, phone number, address, acount details, photos, videos physical atributes

Special Category data

GDPR provides protection for special category data eg. data subject racial or theic origin, political opionons, religious or philosphoical beliefs, trade union membership, genetic ifnormation, health info, sex lif or sexual orientation

GDPR prohibits data processing of an idnicuals data unless

  • a law or regulation allows *
  • data subject consents

Procesing

  • anyting that you do with perosnal data including retianign

GDPR - collection, recoring, orgnaisiaiton, structing, storage daption or altenation, retiral consulation, use disclouse by transmission, dissemination or toherwise making availabe, alighment or combiation, restrication, erasure or descurtion of peronal data.

Who's responsible

controllers and process of personal data are repsonbile for protecting personal data

data controller is a person or entity that determines why and how peronal data is processed

data processor is repsonbilbe for proceing personal data on behalf of a data controller.

data controllers/processors are responsible for proper processing of personal data/related records

both face prosecutions if they dont fufil their repsonsiblites

Data controlleers also have to ensure their contracts with data processor are GDPR-compliant.

data controller maybe be liable for it's data processors failure to fultl GDPR

: definition

GDPR Principles

apply to collection, use, transfer and deletion of personal data.

data controllers and processor must adhere to these pricincples and incorpate them into data processing procedure & document their compliance.

Personal data

  • must be processed lawfully, fairly & transparently

need to ask for consent to do something that was not specified with controller.

need consent before doing anything to do anything, subject should know controller idneitfy, data that will be rpcoess how it will be used purpose of processing operations

need explict consent for special category data

  • should collected for speicific purshpose (purpose limitation)
  • should be adequate, relavant and limited to what is necesary inr reation to the purpose for which is processed (data minimisation)
  • must be ketp accuarte and updated as needed (accuaracy)
  • storage limitation: PD must not be kept in aform which permits identifycation data subjects any longer that in necssary for the purpose for which it was processed
  • integriety/confidentiallity - PD processed in amanter that ensures proper data security using tch/org measures, including protection against unatuhosied or unlawful process, accidential loss/damage

Data Subject rights

Right to be Informed

data subject should be told information in a clear, consise, transparent, intelligle and easily accesibl form, using clear/plain language

info cilduing

  • type fo pernals data controller has collection
  • purpose for which it was collected
  • identify/contact detials of the controller/dat aprectection office
  • recipient or category of recipoinet of the data subjects peronsal data

Right to access

  • can access epronal data supplicmentary info
  • contorllelers must providn info without detlay within one month (3 months for complex queiries)

Right to rectiifcion

  • correct incacure or imcplete dperonsal data
  • controllers must repsone within one monthg to access to correct inof
  • contollers must provide notice of the correction to any third paries theya havre recieved the data

Right to data porability

  • Subject can obtain an resue their personal data for their poruspes acresso services
  • busct can move copy ot ransfer peronsl ata easily from one IT env to antoher safely/securely

Right to Erase

  • subject may require deletion/removal of personal data as long ther is no legal gorund for contitued processing
  • right apply when -- data subject withdraws consent -- pernsoal data is no logner necessary -- data subject objects to processing and ther is no overidign legitimate interst for conituing to process
  • controller con refuse request if -- it needs to comply with a legal obleigation -- in public interest
  • aka right to forgotten

Right to Restrict (processing)

Right to object (to processing)

Rights related to automated decions making/profiling

Sepcial rights for childrn data subjects

Additional Conroller/Processor Responsiblities

controllers an process have to implement certan safeguards to ensure compliance. These include

Policies

Documents

Data protection officers

Privary by design/default

Security

  • psuedonymisaiton and encrupton epronsa data
  • snure ongoing ocnifientialy, integrity a
  • respose data fi soomething happens
  • process of regular testing/assessing/evaluatin efectines of technical & orgnaisation measures

Impact Assessments

  • what impact might be incurred by prcessing the data

Contracts with data Processors

  • if controller contacts data process, contract must require processor to take approatpate masures to ensure the scuryt of processing
  • allow ds to exerciese theri rights under GDPR
  • dleete or reutrun all procsonal data to the data controll er at the end of the contract
  • allow for audids and isnpsections
  • onfity controaller of any violation or breaches

International transfers

  • transfer of dat to a3rd contry outside of EU can happend if -- coutnry has adqueate level procteciont as specified by EU commision -- DC or DP has appropatite safeguareds

Breach Notifications

  • notify regulator
  • notify data subjects
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment