#GDPR
GDPR - General Data Protection Regulation
EU's legislation to strengthen data protection regulations.
- Describe the scope of GDPR
- Key GDPR personal data protection terms
- Principles governing personal data protection
- Key GDPR policies
- Penalities for violating GDPR
Data protection personal information is collected by all companies, could be an email address, postal information
need to protect that data from data breaches
Data breach - unauthorise expoer of stroed prsonal data,ccause damage that can lead to identity theft/acces to banking and other highly sensitive online accounts.
Data breaches examples
- Microsoft
Cost of data breaches
- Poneman cost of data breachs tuffyd rise to 3.92 million
Legal Effect of GDPR
Before GDPR EU member states rgulated ata pricivna under 1995 Dat aprotection directive
Since may 2018 - GDPR is enforceable in all EU member states.
GDP EU rgulation vs direction, means it applicable to all states without the need for national legisaltion.
some stats have howeve rpassed local data privary laws
GDP applies to any firm in established in the EU even if firm outsources data processing to non-EU entity
GDPR applies to you in you not in the EU and
- you offer goods or services to idniviaulda in the EU
- monitor the behaviour of those indivuals within EU
Reach of GDPR
- rogs oeprating in EU orgs serving data contraollers who are based in the EU (what doe sthat mean?) or that deal with EU personal data
- orgs outside EU proving goods and services to individudals in the EU
GDPR is to protect personal data
- personal data relates to an identified or identiabl indivudla akak "data subject"
could be subjects name, gov ID #, phone number, address, acount details, photos, videos physical atributes
GDPR provides protection for special category data eg. data subject racial or theic origin, political opionons, religious or philosphoical beliefs, trade union membership, genetic ifnormation, health info, sex lif or sexual orientation
GDPR prohibits data processing of an idnicuals data unless
- a law or regulation allows *
- data subject consents
Procesing
- anyting that you do with perosnal data including retianign
GDPR - collection, recoring, orgnaisiaiton, structing, storage daption or altenation, retiral consulation, use disclouse by transmission, dissemination or toherwise making availabe, alighment or combiation, restrication, erasure or descurtion of peronal data.
controllers and process of personal data are repsonbile for protecting personal data
data controller is a person or entity that determines why and how peronal data is processed
data processor is repsonbilbe for proceing personal data on behalf of a data controller.
data controllers/processors are responsible for proper processing of personal data/related records
both face prosecutions if they dont fufil their repsonsiblites
Data controlleers also have to ensure their contracts with data processor are GDPR-compliant.
data controller maybe be liable for it's data processors failure to fultl GDPR
: definition
apply to collection, use, transfer and deletion of personal data.
data controllers and processor must adhere to these pricincples and incorpate them into data processing procedure & document their compliance.
Personal data
- must be processed lawfully, fairly & transparently
need to ask for consent to do something that was not specified with controller.
need consent before doing anything to do anything, subject should know controller idneitfy, data that will be rpcoess how it will be used purpose of processing operations
need explict consent for special category data
- should collected for speicific purshpose (purpose limitation)
- should be adequate, relavant and limited to what is necesary inr reation to the purpose for which is processed (data minimisation)
- must be ketp accuarte and updated as needed (accuaracy)
- storage limitation: PD must not be kept in aform which permits identifycation data subjects any longer that in necssary for the purpose for which it was processed
- integriety/confidentiallity - PD processed in amanter that ensures proper data security using tch/org measures, including protection against unatuhosied or unlawful process, accidential loss/damage
data subject should be told information in a clear, consise, transparent, intelligle and easily accesibl form, using clear/plain language
info cilduing
- type fo pernals data controller has collection
- purpose for which it was collected
- identify/contact detials of the controller/dat aprectection office
- recipient or category of recipoinet of the data subjects peronsal data
- can access epronal data supplicmentary info
- contorllelers must providn info without detlay within one month (3 months for complex queiries)
- correct incacure or imcplete dperonsal data
- controllers must repsone within one monthg to access to correct inof
- contollers must provide notice of the correction to any third paries theya havre recieved the data
- Subject can obtain an resue their personal data for their poruspes acresso services
- busct can move copy ot ransfer peronsl ata easily from one IT env to antoher safely/securely
- subject may require deletion/removal of personal data as long ther is no legal gorund for contitued processing
- right apply when -- data subject withdraws consent -- pernsoal data is no logner necessary -- data subject objects to processing and ther is no overidign legitimate interst for conituing to process
- controller con refuse request if -- it needs to comply with a legal obleigation -- in public interest
- aka right to forgotten
Additional Conroller/Processor Responsiblities
controllers an process have to implement certan safeguards to ensure compliance. These include
Policies
Documents
Data protection officers
Privary by design/default
Security
- psuedonymisaiton and encrupton epronsa data
- snure ongoing ocnifientialy, integrity a
- respose data fi soomething happens
- process of regular testing/assessing/evaluatin efectines of technical & orgnaisation measures
Impact Assessments
- what impact might be incurred by prcessing the data
Contracts with data Processors
- if controller contacts data process, contract must require processor to take approatpate masures to ensure the scuryt of processing
- allow ds to exerciese theri rights under GDPR
- dleete or reutrun all procsonal data to the data controll er at the end of the contract
- allow for audids and isnpsections
- onfity controaller of any violation or breaches
International transfers
- transfer of dat to a3rd contry outside of EU can happend if -- coutnry has adqueate level procteciont as specified by EU commision -- DC or DP has appropatite safeguareds
Breach Notifications
- notify regulator
- notify data subjects