GDPR Training 101
Brightdock
Treba brinuti o 20.000.000 eura kazne ili 4% prometa.
Treba brinuti oko zabrane obradjivanja informacija i privatnih podataka!
Brightdock
"Everyone has the right to respect for his private
and family life, his home and his correspondence."
Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR, 1950)
Brightdock
"The purpose of this Convention is to secure in the
territory of each Party for every individual,whatever
his nationality or residence, respect for his rights
and fundamental freedoms, and in particular his
right to privacy, with regard to automatic processing
of personal data relating to him ("data protection")."
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108, 1981)
Brightdock
"Everyone has the right to respect for his or her
private and family life, home and communications."
"Everyone has the right to the protection of personal data concerning him or her."
Charter of Fundamental Rights of the European Union, Articles 7, 8 (EU Charter, 2000)
Brightdock
"any information relating to an identified or identifiable natural person (‘data subject’)"
Includes: name, identification number, location data, online identifier, or
anything specific to physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Brightdock
Personal Data
Data revealing racial or ethnic origin Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data (for the purpose of uniquely identifying a natural person)
Data concerning health, sex life or sexual orientation
Brightdock
Special categories of data (sensitive)
Risk to the Rights and Freedoms, where the processing may give rise to:
Discrimination
Identity theft or fraud
Financial loss
Damage to the reputation
Loss of confidentiality of personal data protected by professional secrecy
Unauthorised reversal of pseudonomysation
Any other significant economic or social disadvantage
GDPR, Preamble 75
Brightdock
Controller - "natural or legal person [...] which, alone or jointly with others,
determines the purposes and means of the processing of personal data"
Processor - "natural or legal person [...] which processes personal data on behalf of the controller"
Data Protection Officer
Brightdock
Data Subject
Fair, lawful and transparent
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability -Data Protection Officer
Brightdock
PRINCIPLES TO PROCESSING OF PERSONAL DATA
The third country must have an "Adequate level of protection".
Decision taken by European Commission, so far:
Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, US (!), Uruguay
Brightdock
An Information Security event is a system, service or network state condition, or occurrence that indicates that information security may have been breached or compromised or that a security policy may have been violated or a control may have failed.
An Information Security incident is made up of one or more unwanted or unexpected information security events that could possibly compromise the security of information and weaken or impair business operations
Brightdock
Controller must notify the PDB to the DPA "without undue delay and, where feasible, not later than 72 hours after having become aware of it".
If not within 72 hours, controller must give reasons for the delay.
Unless PDB is unlikely to result in a risk to the rights and freedoms of the data subjects.
Brightdock
Notification to the data subject:
When?
PDB is likely to result in high risk for the rights and freedoms of natural persons, communicate "without undue delay".
What?
Nature of PDB, DPO contact details, likely consequences, measures taken "in clear and plain language".
Brightdock
When it happens:
Plan and prepare
Detect and assess
Notify and respond
Collect evidence, carry out forensic analysis
Review and improve
Brightdock
identify processing activities, e.g.: applications, IT systems, document filing (e.g. Excel) and physical files.
Brightdock
IMPLEMENTATION CHECKLIST
create a procedure:
processing activities and purposes, categories of data subjects (e.g. employees, customers), categories of recipients; and provide deadlines (if possible) for deletion of data.
The DPIA is a new requirement under the GDPR as part of the “protection by design” principle. According to the law:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
While this passage makes it clear that a DPIA is required by law under certain conditions, it is unhelpfully light on specifics.
Brightdock
IMPLEMENTATION CHECKLIST
carry out a data protection impact assessment ("DPIA"):
-
If you’re using new technologies
-
If you’re tracking people’s location or behavior
-
If you’re systematically monitoring a publicly accessible place on a large scale
-
If you’re processing personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”
-
If your data processing is used to make automated decisions about people that could have legal (or similarly significant) effects
-
If you’re processing children’s data
Brightdock
ensure compliance with data protection principles: e.g., confirm and check the legal basis for processing.
Brightdock
implement data security measures: compliance with state of the art security taking into account the:
scope, circumstances and purposes of processing; and likelihood of risks to individual rights.
Maintain right of data subjects - consider the:
right of notice (article 15)
right of correction (article 16)
right to be forgotten or of deletion (article17)
right to restrict processing (article 18)
right to data portability (article 20)
right to object (article 21).
Brightdock
GDPR 101
By Aleksandar Savkovic WPAleks
GDPR 101
Introduction to GDPR
- 436