The document discusses privacy concerns related to increased data collection and sharing on social networks. It begins with definitions of key GDPR terms like personal data, processing, and controllers. It then outlines the 12 main GDPR principles, including accountability, consumer rights, privacy by design, security, and penalties. The consequences of non-compliance and recommended methodology for achieving compliance are also reviewed. The document advocates for transparency in data practices and emphasizes that privacy should be protected even as social networks continue to grow in influence.
7. The person who took the photo
is a real friend
7
http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg
34. IN 3 WORDS
34
• GDPR IS A "REGULATION" ><
"DIRECTIVE"
• WORLDWIDE INFLUENCE
• CONSEQUENCES FOR COMPANIES
AND PUBLIC SECTOR
35. 35
MAY 2018
ENTRY INTO FORCE MAY
25,2018
DISCUSSED SINCE 2014
VOTED IN 2016
RISKS
PENALTIES
4% ANNUAL TO
20 M €
COMPENSATION IN COURT
REPUTATION
IMPACT
CONTRACT
PROCESSES
MARKETING
ORGANISATION
37. PERSONAL DATA
37
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can
be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;
38. PROCESSING
38
‘processing’ means any operation or set of
operations which is performed on personal data or
on sets of personal data, whether or not by
automated means, such as collection, recording,
organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making
available, alignment or combination, restriction,
erasure or destruction;
39. CONTROLLER
39
controller’ means the natural or legal person, public
authority, agency or other body which, alone or
jointly with others, determines the purposes and
means of the processing of personal data; where the
purposes and means of such processing are
determined by Union or Member State law, the
controller or the specific criteria for its nomination
may be provided for by Union or Member State
law;
40. processor or sub-contractor
40
processor means a natural or legal
person, public authority, agency or other
body which processes personal data on
behalf of the controller
41. Sub-contractor
129
The Member States shall provide that the controller must, where
processing is carried out on his behalf, choose a processor
providing sufficient guarantees in respect of the technical security
measures and organizational measures governing the processing
to be carried out, and must ensure compliance with those
measures
42. 42
The carrying out of processing by way of a processor must be
governed by a contract or legal act binding the processor to the
controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations as defined by the law of the Member State in
which the processor is established, shall also be incumbent on the
processor
43. data breach
43
personal data breach’ means a breach of
security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to,
personal data transmitted, stored or
otherwise processed
44. C : 12 MAIN PRINCIPLES OF GDPR
44
1. Accountability
2. Consumer / citizen rights
3. Privacy by design
4. Information security
5. Data breach
6. Penalties
7. identity access management
8. lawfulness for processing
9. Register
10.Risk analysis and PIA
11.Training
12.Data privacy officer
46. 2/ Consumer/citizen's right
46
TRANSPARENCY
SENSITIVE INFORMATIONS
INFORMATION COLLECTED
RIGHT OF ACCESS
RIGHT TO RECTIFICATION
RIGHT TO ERASE
RIGHT OF PROCESSING LIMITATION
PORTABILITY
RIGHT OF OPPOSITION TO PROFILING
53. 53
'the data subject's consent' shall
mean any freely given specific
and informed indication of his
wishes by which the data subject
signifies his agreement to
personal data relating to him
being processed
56. 56
Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes. Further
processing of data for historical, statistical or scientific purposes shall
not be considered as incompatible provided that Member States
provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or
rectified;
(e) kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the data were
collected or for which they are further processed. Member States
shall lay down appropriate safeguards for personal data stored for
longer periods for historical, statistical or scientific use.
57. 57
Member States shall provide that personal data may be processed
only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation
to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of
the data subject; or
(e) processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official authority
vested in the controller or in a third party to whom the data are
disclosed
58. 58
Member States shall prohibit the processing of
personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data
concerning health or sex life
59. 125
Member States shall provide that the controller or his representative must
provide a data subject from whom data relating to himself are collected
with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the
possible consequences of failure to reply,
- the existence of the right of access to and the right to rectify the data
concerning him
in so far as such further information is necessary, having regard to the
specific circumstances in which the data are collected, to guarantee fair
processing in respect of the data subject
66. METHODOLOGY
66
1. PRELIMINARY AUDIT
2. RISK ANALYSIS
3. LIST OF SERVICES
4. RECORD OF PROCESSING ACTIVITIES
5. ACTION PLAN
6. SERACH FOR COMPLIANCE
7. SOLUTION FOR NON COMPLIANCE
8. CONTINUOUS PROCESSES
9. TRAINING
Préparation
Implémentation
Pérennisation
75. Article 16
Confidentiality of processing
Any person acting under the authority of the controller or of the
processor, including the processor himself, who has access to
personal data must not process them except on instructions from
the controller, unless he is required to do so by law
76. Member States shall provide that the controller must implement
appropriate technical and organizational measures to protect
personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorized disclosure or access, in
particular where the processing involves the transmission of data
over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their
implementation, such measures shall ensure a level of security
appropriate to the risks represented by the processing and the
nature of the data to be protected.
81. Where do one steal data?
•Banks
•Hospitals
•Ministries
•Police
•Newspapers
•Telecoms
•...
Which devices are stolen?
•USB
•Laptops
•Hard disks
•Papers
•Binders
•Cars
90. 4
By giving people the power to share, we're
making the world more transparent.
The question isn't, 'What do we want to
know about people?', It's, 'What do
people want to tell about themselves?'
Data privacy is outdated !
Mark Zuckerberg
If you have something that you don’t want
anyone to know, maybe you shouldn’t be
doing it in the first place.
Eric Schmidt
96. 1
Privacy statement confusion
• 53% of consumers consider that a privacy statement
means that data will never be sell or give
• 43% only have read a privacy statement
• 45% only use different email addresses
• 33% changed passwords regularly
• 71% decide not to register or purchase due to a
request of unneeded information
• 41% provide fake info
112
Source: TRUSTe survey
110. DATA PRIVACY & THE EMPLOYER
45http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg
111. SO CALLED HIDDEN COSTS
46
http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/
114. RISKS
SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html
115. Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University
116. The new head of MI6 has been left
exposed by a major personal security
breach after his wife published
intimate photographs and family
details on the Facebook website.
Sir John Sawers is due to take over
as chief of the Secret Intelligence
Service in November, putting him in
charge of all Britain's spying
operations abroad.
But his wife's entries on the social
networking site have exposed
potentially compromising details
about where they live and work, who
their friends are and where they
spend their holidays.
http://www.dailymail.co.uk
117. Social Media Spam
Compromised Facebook
account. Victim is now
promoting a shady
pharmaceutical
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
118. Social Media Phishing
To: T V V I T T E R.com
Now they will have
your username and
password
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
119. Social Media Malware
Clicking on the
links takes you
to sites that will
infect your
computer
with malware
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
123. Take my stuff,
please!
Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University
125. Right to be forgotten
• On 13.05.2014 the European Union Court of
Justice backed a ruling called “the right to be
forgotten,” which allows individuals to control
their data and ask search engines, such as Google,
to remove inadequate personal results from the
Internet.
• However, the decision cannot be interpreted as a
“victory” for the protection of the personal data
of Europeans, according to privacy experts.
126. • In 2010 a Spanish citizen lodged a complaint against a Spanish
newspaper with the national Data Protection Agency and
against Google Spain and Google Inc.
• The citizen complained that an auction notice of his
repossessed home on Google’s search results infringed his
privacy rights because the proceedings concerning him had
been fully resolved for a number of years and hence the
reference to these was entirely irrelevant.
• He requested, first, that the newspaper be required either to
remove or alter the pages in question so that the personal
data relating to him no longer appeared;
• and second, that Google Spain or Google Inc. be required to
remove the personal data
127. • In its ruling of 13 May 2014 the EU Court said :
• a)On the territoriality of EU rules: Even if the physical server of a
company processing data islocated outside Europe, EU rules apply
to search engine operators if they have a branch or a sub sidiary in
a Member State which promotes the selling of advertising space
offered by the search engine;
• b)On the applicability of EU data protection rules to a search
engine : Search engines are controllers of personal data. Google can
therefore not escape its responsibilities before European lawwhen
handling personal data by saying it is a search engine. EU data
protection law applies and so does the right to be forgotten.
• c) On the “Right to be Forgotten” : Individuals have the right -
under certain conditions - to ask search engines to remove links
with personal information about them.This applies where the
information is inaccurate, inadequate, irrelevant or excessive for the
purposes of the data
128. • At the same time, the Court explicitly clarified
that the right to be forgotten is not absolute but
will always need to be balanced against other
fundamental rights, such as the freedom of
expression and of the media
129. • Right to erasure (future rules?)
• 1.The data subject shall have the right to obtain from the
controller the erasure of personal data relating to them and the
abstention from further dissemination of such data, and to
obtain from third parties the erasure of any links to, or copy or
replication of that data, where one of the following grounds
applies:
• (a) the data are no longer necessary in relation to the purposes
for which they were collected or otherwise processed
• (b) the data subject withdraws consent on which the processing
is based according
• (c) when the storage period consented to has expired and
where there is no other legal ground for the processing of the
data
130. New EU Regulation
• right to be forgotten
• no more notification to data privacy authorities
• data privacy officer
• up to 2% turnover penalty
• information of data theft
131. Control by the employer
161SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/
149. 87
“It is not the strongest of the species that survives,
nor the most intelligent that survives.
It is the one that is the most adaptable to change.”
C. Darwin