GENERAL DATA PROTECTION REGULATION (Effectivity: May 25, 2018)

Who does the GDPR affect?

The GDPR not only applies to organisations located within the EU but it will also apply to
organisations located outside of the EU if they offer goods or services to, or monitor the
behaviour of, EU data subjects. It applies to all companies processing and holding the
personal data of data subjects residing in the European Union, regardless of the
company’s location.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or
indirectly identify the person. It can be anything from a name, a photo, an email address, bank
details, posts on social networking websites, medical information, or a computer IP address.

Data Subjects under the age of 16

Parental consent will be required to process the personal data of children under the age of 16.

RIGHTS OF INDIVIDUALS UNDER THE GDPR

Under the GDPR, individuals have:

1. The right to access – right to request access to their personal data and to ask how their
data is used by the company after it has been gathered. The company must provide a
copy of the personal data, free of charge and in electronic format if requested.

2. The right to be forgotten – if consumers are no longer customers, or if they withdraw

their consent from a company to use their personal data, then they have the right to
have their data deleted.

3. The right to data portability – right to transfer their data from one service provider to
another. And it must happen in a commonly used and machine-readable format.

4. The right to be informed – any gathering of data by companies, and individuals must
be informed before data is gathered. Consumers have to opt in for their data to be
gathered, and consent must be freely given rather than implied.

5. The right to have information corrected – individuals can have their data updated if it
is out of date or incomplete or incorrect.

6. The right to restrict processing – request that their data is not used for processing.
Their record can remain in place, but not be used.

7. The right to object – right to stop the processing of their data for direct marketing.
There are no exemptions to this rule, and any processing must stop as soon as the
request is received. In addition, this right must be made clear to individuals at the very
start of any communication.
 8. The right to be notified – If there has been a data breach which compromises an
individual’s personal data, the individual has a right to be informed within 72 hours of first
having become aware of the breach.

BUSINESS IMPLICATIONS OF GDPR

 Appointment of a data protection officer or data controller who is in charge of

GDPR compliance.

Duties of the DPO:

 Acting on the compliance to all relevant data protection regulations;
 monitoring specific processes, such as data protection impact assessments, employee
awareness and training employees, as well as collaboration with authorities. Therefore,
the operating Data Protection Officer must not be recalled or disadvantaged due to his
fulfilment of his tasks. Despite the monitoring function, the company itself remains
responsible for compliance with data protection regulations.
 The Data Protection Officer is therefore bound to properly and in a timely manner, in all
issues which relate to the protection of personal data”. When the Data Protection Officer
is appointed, his superior must publish his contact data, and communicate his
appointment and contact data to authorities.

 Preparation of Codes of Conduct or amendment of such codes for the purpose of

specifying the application of this Regulation, such as with regard to:

 fair and transparent processing;

 the legitimate interests pursued by controllers in specific contexts;
 the collection of personal data;
 the pseudonymisation of personal data;
 the information provided to the public and to data subjects;
 the exercise of the rights of data subjects;
 the information provided to, and the protection of, children, and the manner in which
the consent of the holders of parental responsibility over children is to be obtained;
 the measures and procedures referred to in Articles 24 and 25 and the measures to
ensure security of processing referred to in Article 32;
 the notification of personal data breaches to supervisory authorities and the
communication of such personal data breaches to data subjects;
 the transfer of personal data to third countries or international organisations; or
 out-of-court proceedings and other dispute resolution procedures for resolving
disputes between controllers and data subjects with regard to processing, without
prejudice to the rights of data subjects pursuant to Articles 77 and 79.

 Ask for express consent from the individual subject before processing/using their
personal data. Parental consent will be required to process the personal data of
children under the age of 16.

 Report data breaches to supervisory authorities and individuals affected by a breach

within 72 hours of when the breach was detected.
  Perform impact assessments to mitigate the risk of breaches by identifying
vulnerabilities and how to address them.

PENALTIES FOR NON-COMPLIANCE

Minor breaches - 2% of annual global turnover or €10 Million, whichever is higher

Major breaches - 4% of annual global turnover or €20 Million, whichever is higher.

There is a tiered approach to fines e.g. a company can be fined 2% for not having their records
in order (article 28), not notifying the supervising authority and data subject about a breach or
not conducting impact assessment. It is important to note that these rules apply to both
controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

INITIAL PREPARATIONS

A key component of the GDPR legislation is privacy by design.

Privacy by design requires that all departments in a company look closely at their data and how
they handle it. HERE are a few first steps to prepare:

1. Map the company’s data

Map where all of the personal data in the entire business comes from and document what to do
with the data. Identify where the data resides, who can access it and if there are any risks to the
data.

2. Determine what data to keep

Don’t keep more information than necessary and remove any data that isn’t used.

In the clean-up process, ask:

 Why exactly are we archiving this data instead of just erasing it?
 Why are we saving all this data?
 What are we trying to achieve by collecting all these categories of personal information?
 Is the financial gain of deleting this information greater than encrypting it?

3. Put security measures in place

Develop and implement safeguards throughout the infrastructure to help contain any data
breaches. This means putting security measures in place to guard against data breaches and
taking quick action to notify individuals and authorities in the event a breach does occur.

4. Review the documentation

Under GDPR, individuals have to explicitly consent to the acquisition and processing of their
data. Pre-checked boxes and implied consent will not be acceptable anymore. Companies will
have to review all of their privacy statements and disclosures and adjust them where needed.

5. Establish procedures for handling personal data

As mentioned above, Individuals have 8 basic rights under GDPR, hence, a company must
establish policies and procedures on how to handle each of these situations.

6. Carry out Data Protection Impact Assessments

To evaluate the origin, nature, particularity and severity of risk to the rights and freedoms of
natural persons. DPIA is mandatory if the company process sensitive data on a large scale,
deploying new technology and if a profiling operation is susceptible to affect people in a
significant manner.