Zašto sada ovaj GDPR i šta je to?

Sve novo i nepoznato je zastrašujuće.

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016.

Zašto onda hiljade mejlova za GDPR u poslednjih mesec dana?

Kazna

"Everyone has the right to respect for his private
and family life, his home and his correspondence."
Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR, 1950)

"The purpose of this Convention is to secure in the
territory of each Party for every individual,whatever
his nationality or residence, respect for his rights
and fundamental freedoms, and in particular his
right to privacy, with regard to automatic processing
of personal data relating to him ("data protection")."
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108, 1981)

"Everyone has the right to respect for his or her
private and family life, home and communications."

"Everyone has the right to the protection of personal data concerning him or her."

Charter of Fundamental Rights of the European Union, Articles 7, 8 (EU Charter, 2000)

Personal Data - "any information relating to an identified or identifiable natural person (‘data subject’)"

Includes: name, identification number, location data, online identifier, or
anything specific to physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Special categories of data (sensitive)
‣ ‣ ‣ ‣ ‣ ‣
Data revealing racial or ethnic origin Political opinions
Religious or philosophical beliefs

Trade union membership
Genetic data
Biometric data (for the purpose of uniquely identifying a natural person)

Data concerning health, sex life or sexual orientation

Risk to the Rights and Freedoms, where the processing may give rise to:

Discrimination
Identity theft or fraud
Financial loss
Damage to the reputation
Loss of confidentiality of personal data protected by professional secrecy

Unauthorised reversal of pseudonomysation
Any other significant economic or social disadvantage

GDPR, Preamble 75

Data Subject

Controller - "natural or legal person [...] which, alone or jointly with others,
determines the purposes and means of the processing of personal data"

Processor - "natural or legal person [...] which processes personal data on behalf of the controller"

Data Protection Officer

PRINCIPLES TO PROCESSING OF PERSONAL DATA
Fair, lawful and transparent

Purpose limitation
Data minimisation

Accuracy
Storage limitation
Integrity and confidentiality

Accountability -Data Protection Officer

The third country must have an "Adequate level of protection".

Decision taken by European Commission, so far:
Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, US (!), Uruguay

An Information Security event is a system, service or network state condition, or occurrence that indicates that information security may have been breached or compromised or that a security policy may have been violated or a control may have failed.

An Information Security incident is made up of one or more unwanted or unexpected information security events that could possibly compromise the security of information and weaken or impair business operations

Controller must notify the PDB to the DPA "without undue delay and, where feasible, not later than 72 hours after having become aware of it".

If not within 72 hours, controller must give reasons for the delay.

Unless PDB is unlikely to result in a risk to the rights and freedoms of the data subjects.

Notification to the data subject:

When?
PDB is likely to result in high risk for the rights and freedoms of natural persons, communicate "without undue delay".

What?
Nature of PDB, DPO contact details, likely consequences, measures taken "in clear and plain language".

When it happens:

Plan and prepare
Detect and assess
Notify and respond
Collect evidence, carry out forensic analysis

Review and improve

IMPLEMENTATION CHECKLIST
identify processing activities, e.g.: applications, IT systems, document filing (e.g. Excel) and physical files.

create a procedure:
processing activities and purposes, categories of data subjects (e.g. employees, customers), categories of recipients; and provide deadlines (if possible) for deletion of data.
carry out a data protection impact assessment ("DPIA"), if:
new technology is used that poses a high risk to individuals, processing involves regular and systematic monitoring necessary,automated decision-making is utilized or processing involves criminal records.
ensure compliance with data protection principles: e.g., confirm and check the legal basis for processing.
implement data security measures: compliance with state of the art security taking into account the:
scope, circumstances and purposes of processing; and likelihood of risks to individual rights.
 

Maintain right of data subjects - consider the:
right of notice (article 15)

right of correction (article 16)

right to be forgotten or of deletion (article17)

right to restrict processing (article 18)

right to data portability (article 20)

right to object (article 21).

Toliko za danas o ovoj GDPR dosadi

GDPR Compliant

Aleksandar Savkovic

@WPAleks

 WooCommerce   Meetup Belgrade

13 June 2018

 Startit Centar / Savska 5

15:00-19:00