GDPR for dummies
Agreed in 2016, the motive of the General Data Protection Regulation (GDPR) is to better protect the personal data of European Union “data subjects” – EU citizens and other nationals physically present in the EU at the time data are collected. Visit: https://www.hipaajournal.com/gdpr-training/
Agreed in 2016, the motive of the General Data Protection Regulation (GDPR) is to better protect the personal data of European Union “data subjects” – EU citizens and other nationals physically present in the EU at the time data are collected. Visit: https://www.hipaajournal.com/gdpr-training/
- TAGS
- gdpr-compliance
- gdpr
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>GDPR</strong><br />
FOR<br />
Everything you need to know<br />
DUMMIES
1.<br />
What is <strong>GDPR</strong>?
What is the purpose?<br />
Who is concerned?<br />
⇒ Better protect the<br />
personal data of<br />
European Union<br />
“data subjects” – EU<br />
citizens and other<br />
nationals physically<br />
present in the EU.<br />
Any business or<br />
organization that offers<br />
services to EU data<br />
subjects, or that collects,<br />
processes or stores the<br />
data of EU data subjects
General Data Protection Regulation<br />
“<strong>GDPR</strong>”<br />
The timeline<br />
●<br />
●<br />
●<br />
2016: <strong>GDPR</strong> agreed<br />
2016 - 2018: Preparation<br />
25 th May 2018: <strong>GDPR</strong> came into effect.
2.<br />
What is Personal<br />
Data under<br />
<strong>GDPR</strong>?
What is personal data ?<br />
Piece of<br />
Vestibulum congue<br />
in<strong>for</strong>mation<br />
tempus<br />
that contains<br />
an “identifier”<br />
Lorem ipsum dolor sit<br />
amet, consectetur<br />
adipiscing elit, sed do<br />
eiusmod tempor.<br />
Piece of<br />
Vestibulum congue<br />
in<strong>for</strong>mation<br />
tempus<br />
Lorem ipsum dolor sit<br />
that amet, consectetur pertains<br />
adipiscing elit, sed do<br />
to eiusmod a person<br />
tempor.<br />
Vestibulum congue tempus<br />
Personal data<br />
Lorem ipsum dolor sit amet, consectetur<br />
adipiscing elit, sed do eiusmod tempor. Ipsum<br />
dolor sit amet elit, sed do eiusmod tempor.
<strong>GDPR</strong> personal data can be:<br />
▸ Names<br />
▸ Date of birth<br />
▸ Telephone numbers<br />
▸ Addresses<br />
▸ Bank details<br />
▸ Opinions<br />
▸ Passport numbers<br />
▸ Location data<br />
▸ Audio/visual recordings of the individuals<br />
So-called “anonymous” data does not need protection by data<br />
security laws
Most data protection laws consider maintaining data<br />
longer than necessary a breach of privacy<br />
Those storing data must carefully consider how to safely<br />
dispose of it once it has served the purpose it was<br />
collected <strong>for</strong>.
3.<br />
Sensitive data
What is sensitive data?<br />
Examples<br />
➢ Particular pieces of<br />
in<strong>for</strong>mation that make<br />
individuals especially<br />
vulnerable.<br />
➢ Requires greater levels of<br />
protection<br />
➢ Requires extra levels of<br />
checks and justification<br />
➢ Race or ethnicity<br />
➢ Religious or spiritual<br />
beliefs<br />
➢ Political or philosophical<br />
leanings<br />
➢ Trade union alliances<br />
➢ Biological/genetic data<br />
➢ Medical data<br />
➢ Sexuality/gender identity
4.<br />
Who’s involved<br />
in <strong>GDPR</strong> policy ?
“The Vestibulum controller” congue<br />
<strong>GDPR</strong><br />
Vestibulum congue<br />
“The processors”<br />
Vestibulum congue<br />
“Data subjects”
Vestibulum congue<br />
“The controller”<br />
Government agency or<br />
organization (public or<br />
private) that initiates the<br />
collection and processing<br />
of personal data.<br />
They are also the ones who<br />
use it and, if necessary,<br />
share it.
Usually IT companies or<br />
third-party marketing<br />
companies.<br />
Vestibulum congue<br />
“The controller”<br />
“The processors”<br />
“Data processor” can also<br />
relate to any software used<br />
to process data.<br />
In many circumstances, the<br />
same organization can be both<br />
a data controller and a data<br />
processor.
People whose personal<br />
in<strong>for</strong>mation is being used<br />
and processed by the<br />
controllers and processors.<br />
Vestibulum congue<br />
“The controller”<br />
“The “Data processors” subjects”<br />
These individuals retain the<br />
right to access, correct or<br />
request the removal of<br />
in<strong>for</strong>mation collected about<br />
them.<br />
<strong>GDPR</strong> also gives the<br />
data subject the right to<br />
portability
5.<br />
What is <strong>GDPR</strong><br />
Data Processing?
Exceptions to <strong>GDPR</strong><br />
Member states may apply<br />
<strong>for</strong> specific exemptions<br />
If an individual poses a threat to the<br />
rights and freedoms of others, their<br />
data is often no longer protected<br />
under <strong>GDPR</strong>
Examples of when personal data<br />
may no longer be treated<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
Defense concerns<br />
Crime prevention<br />
Financial security<br />
Prosecution of a crime<br />
Suspected tax evasion<br />
Public health concerns<br />
Freedom of in<strong>for</strong>mation
6.<br />
Where will the<br />
<strong>GDPR</strong> Apply?
<strong>GDPR</strong><br />
Data must be protected in line with EU<br />
standards <strong>for</strong> all its citizens,<br />
regardless of where the data itself is.
7.<br />
What about<br />
BREXIT and <strong>GDPR</strong>?
It is very likely that the UK’s new Data<br />
Protection Laws will take the same shape<br />
as <strong>GDPR</strong>.<br />
This is, in part, to facilitate the fact that<br />
many UK organizations will work with the<br />
data of EU data subjects.
8.<br />
<strong>GDPR</strong> in the<br />
United States
The EU-US Privacy Shield Framework<br />
Adopted in 2016<br />
Allows private data to be transferred outside of the EU if<br />
the recipient organization is certified by the US<br />
Department of Commerce or the EU Supervisory Authority.<br />
US organizations must certify they have “adequate<br />
safeguards” to protect data and must conduct an annual<br />
review to self-certify that they are compliant.
9.<br />
“<strong>GDPR</strong> right to<br />
be <strong>for</strong>gotten”<br />
and<br />
“<strong>GDPR</strong> right to<br />
be in<strong>for</strong>med”
“right to be<br />
<strong>for</strong>gotten”<br />
Those who hold an<br />
individual’s personal<br />
data must delete it upon<br />
request if:<br />
“right to be<br />
in<strong>for</strong>med”<br />
Data subjects must<br />
receive in<strong>for</strong>mation from<br />
the controller about:<br />
●<br />
●<br />
●<br />
●<br />
The data has lost its relevance<br />
The subject withdraws consent<br />
The subject objects to the<br />
processing of the data<br />
The data was unlawfully<br />
processed<br />
●<br />
●<br />
●<br />
●<br />
What in<strong>for</strong>mation is collected<br />
What and how it’s stored<br />
How it’s being used<br />
Any change whilst the data is<br />
still in the controller’s<br />
possession
10.<br />
What are the<br />
<strong>GDPR</strong> Penalties <strong>for</strong><br />
Non-Compliance?
As part of the original Directive on privacy, each member<br />
state can establish its own regime <strong>for</strong> penalties.<br />
Maximum penalty :<br />
£500,000<br />
Maximum penalty :<br />
€150,000<br />
<strong>GDPR</strong> will standardise the penalty scheme. Now,<br />
the maximum penalty will be €20 million, or 4%<br />
of a company’s annual net worth.
11.<br />
What are the <strong>GDPR</strong><br />
Privacy Principles?
01<br />
02<br />
03<br />
04<br />
05<br />
06<br />
07<br />
Notification<br />
Lawfulness<br />
Limits<br />
Security<br />
Accountability<br />
Downstream<br />
Protection<br />
Access and Rights<br />
Clear in<strong>for</strong>mation how the data<br />
is being used<br />
Consent or clear legal basis needed<br />
<strong>for</strong> sharing data<br />
Personal data only be disclosed<br />
when necessary<br />
Reasonable measures are employed<br />
to protect the data.<br />
The controller and the processors<br />
must comply with <strong>GDPR</strong><br />
Any party with which the in<strong>for</strong>mation<br />
was shared must adhere to privacy<br />
legislation.<br />
The individual has the right to<br />
access and use his personal data<br />
Individual must be warned of the<br />
08 Breach Notification<br />
breach notification within 72 hours.
12.<br />
What are Some<br />
Best Practices to<br />
Ensure Data<br />
Remains<br />
Protected?
1<br />
Clear desk policy<br />
Be<strong>for</strong>e any employee leaves his or her workstation:<br />
▸ No materials describing private data are left on the desk<br />
▸ Computers should be locked or logged off<br />
▸ Any other electronic devices should be stored away or<br />
taken with the individual
2<br />
Password security<br />
Passwords:<br />
▸ Should be long<br />
▸ Should containing a mix of<br />
lower- and upper-case<br />
letters, numbers and special<br />
characters<br />
It is imperative no<br />
passwords are<br />
written down, and<br />
if they are, they<br />
should be kept well<br />
away from the<br />
computer that they<br />
unlock<br />
▸ Should not be words
3<br />
Practice secure storage<br />
▸ Any material that contains a person’s<br />
personal private in<strong>for</strong>mation must be<br />
stored in a secure manner.<br />
▸ If it is maintained digitally, it must be<br />
adequately encrypted.
4<br />
Ensure that mobile devices are<br />
secure<br />
The Bring Your Own Device (BYOD) policies<br />
increase the risk of in<strong>for</strong>mation theft.<br />
Devices should be adequately secured and,<br />
of course, be password-protected.
5<br />
Ensure secure transmission of<br />
data<br />
▸ Private in<strong>for</strong>mation should not be sent via<br />
insecure, free email services or via fax.<br />
▸ Senders of in<strong>for</strong>mation should doublecheck<br />
to see if recipients are authorised to<br />
receive the in<strong>for</strong>mation.
6<br />
Secure workplaces from<br />
unauthorized personnel<br />
▸ Work stations should be set up to prevent<br />
unauthorized visitors from seeing computer<br />
monitors<br />
▸ Ensure that any files open on a desk are not<br />
readable by unauthorized passer-by’s.
7<br />
Secure disposal of data<br />
▸ Ensure that all protected data has been<br />
properly removed from DVDs, USB<br />
drives, mobile devices be<strong>for</strong>e disposal<br />
▸ Hard copies of such data must be finely<br />
shredded
8<br />
Reporting breaches<br />
▸ The breach notification must be done within 72<br />
hours<br />
▸ The organization must report the breach to the<br />
EU Regulator<br />
▸ Reports should be made if there has been a<br />
suspected, but unconfirmed, breach of data.
13.<br />
How to be<br />
<strong>GDPR</strong>-Compliant
How to be <strong>GDPR</strong>-Compliant in 7 steps<br />
Step 1<br />
Step 2<br />
Step 3<br />
Step 4<br />
Step 5<br />
Step 6<br />
Step 7<br />
Ensure<br />
privacy is a<br />
top priority <strong>for</strong><br />
the<br />
organization<br />
Ensure<br />
accountability<br />
within the<br />
organization<br />
Ensure that<br />
data is<br />
properly<br />
processed<br />
Ensure<br />
third<br />
parties also<br />
adhere to<br />
<strong>GDPR</strong><br />
Ensure the<br />
rights of<br />
the data<br />
subject are<br />
met<br />
Ensure to<br />
account<br />
<strong>for</strong> all<br />
possible<br />
risks<br />
Ensure<br />
there are<br />
procedures<br />
<strong>for</strong> dealing<br />
with data<br />
breaches in<br />
place.
14.<br />
<strong>GDPR</strong> Guide <strong>for</strong><br />
Dummies:<br />
Conclusion
<strong>GDPR</strong><br />
states<br />
How data should be obtained<br />
How data should be processed<br />
How data should be stored
Businesses and organizations<br />
operating outside the European<br />
Economic Area (EEA)<br />
Data subject to <strong>GDPR</strong> can only be shared<br />
with businesses and organizations in non-<br />
EU countries that have an adequacy<br />
agreement in place.
<strong>GDPR</strong><br />
Compliant<br />
Compliance<br />
of third<br />
parties<br />
Compliance<br />
of<br />
operations
It is recommended businesses<br />
conduct a compliance audit<br />
and discuss their current level<br />
of data security with a <strong>GDPR</strong><br />
Compliance Consultant.
<strong>GDPR</strong><br />
FOR<br />
You now know everything!<br />
DUMMIES<br />
Find more in<strong>for</strong>mation about <strong>GDPR</strong> here:<br />
https://www.hipaaguide.net/gdpr-<strong>for</strong>-<strong>dummies</strong>/