GDPR Training 101

Brightdock

Treba brinuti o 20.000.000 eura kazne ili 4% prometa.

Treba brinuti oko zabrane obradjivanja informacija i privatnih podataka!

Brightdock

"Everyone has the right to respect for his private
and family life, his home and his correspondence."
Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR, 1950)

Brightdock

"The purpose of this Convention is to secure in the
territory of each Party for every individual,whatever
his nationality or residence, respect for his rights
and fundamental freedoms, and in particular his
right to privacy, with regard to automatic processing
of personal data relating to him ("data protection")."
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108, 1981)

Brightdock

"Everyone has the right to respect for his or her
private and family life, home and communications."


"Everyone has the right to the protection of personal data concerning him or her."


Charter of Fundamental Rights of the European Union, Articles 7, 8 (EU Charter, 2000)

Brightdock

"any information relating to an identified or identifiable natural person (‘data subject’)"


Includes: name, identification number, location data, online identifier, or
anything specific to physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Brightdock

Personal Data

Data revealing racial or ethnic origin Political opinions
Religious or philosophical beliefs

Trade union membership
Genetic data
Biometric data (for the purpose of uniquely identifying a natural person)

Data concerning health, sex life or sexual orientation

Brightdock

Special categories of data (sensitive)

Risk to the Rights and Freedoms, where the processing may give rise to:


Discrimination
Identity theft or fraud
Financial loss
Damage to the reputation
Loss of confidentiality of personal data protected by professional secrecy

Unauthorised reversal of pseudonomysation
Any other significant economic or social disadvantage

GDPR, Preamble 75

Brightdock

Controller - "natural or legal person [...] which, alone or jointly with others,
determines the purposes and means of the processing of personal data"

Processor - "natural or legal person [...] which processes personal data on behalf of the controller"

Data Protection Officer

Brightdock

Data Subject

 

Fair, lawful and transparent

Purpose limitation
Data minimisation

Accuracy
Storage limitation
Integrity and confidentiality

Accountability -Data Protection Officer

Brightdock

PRINCIPLES TO PROCESSING OF PERSONAL DATA

 

The third country must have an "Adequate level of protection".


Decision taken by European Commission, so far:
Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, US (!), Uruguay

Brightdock

An Information Security event is a system, service or network state condition, or occurrence that indicates that information security may have been breached or compromised or that a security policy may have been violated or a control may have failed.

 

An Information Security incident is made up of one or more unwanted or unexpected information security events that could possibly compromise the security of information and weaken or impair business operations

Brightdock

Controller must notify the PDB to the DPA "without undue delay and, where feasible, not later than 72 hours after having become aware of it".


If not within 72 hours, controller must give reasons for the delay.


Unless PDB is unlikely to result in a risk to the rights and freedoms of the data subjects.

Brightdock

Notification to the data subject:


When?
PDB is likely to result in high risk for the rights and freedoms of natural persons, communicate "without undue delay".


What?
Nature of PDB, DPO contact details, likely consequences, measures taken "in clear and plain language".

Brightdock

When it happens:

Plan and prepare
Detect and assess
Notify and respond
Collect evidence, carry out forensic analysis

Review and improve

Brightdock

identify processing activities, e.g.: applications, IT systems, document filing (e.g. Excel) and physical files.

Brightdock

IMPLEMENTATION CHECKLIST

create a procedure:
processing activities and purposes, categories of data subjects (e.g. employees, customers), categories of recipients; and provide deadlines (if possible) for deletion of data.

The DPIA is a new requirement under the GDPR as part of the “protection by design” principle. According to the law:

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

While this passage makes it clear that a DPIA is required by law under certain conditions, it is unhelpfully light on specifics.

Brightdock

IMPLEMENTATION CHECKLIST

carry out a data protection impact assessment ("DPIA"):

  • If you’re using new technologies

  • If you’re tracking people’s location or behavior

  • If you’re systematically monitoring a publicly accessible place on a large scale

  • If you’re processing personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”

  • If your data processing is used to make automated decisions about people that could have legal (or similarly significant) effects

  • If you’re processing children’s data

Brightdock

ensure compliance with data protection principles: e.g., confirm and check the legal basis for processing.

Brightdock

implement data security measures: compliance with state of the art security taking into account the:
scope, circumstances and purposes of processing; and likelihood of risks to individual rights.

Maintain right of data subjects - consider the:
right of notice (article 15)

right of correction (article 16)

right to be forgotten or of deletion (article17)

right to restrict processing (article 18)

right to data portability (article 20)

right to object (article 21).

Brightdock

GDPR 101

By Aleksandar Savkovic WPAleks

GDPR 101

Introduction to GDPR

  • 436