Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

GDPR Compliance Seminar

157 Aufrufe

Veröffentlicht am

This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
https://flevy.com/browse/business-document/gdpr-compliance-seminar-3794

DOCUMENT DESCRIPTION

This is a presentation on how to comply with the requirements of GDPR and protect personal data in a more effective way.
Contents of presentaion semniar
1. Introduction:
Context, Prologue, Overview, Milestones, Benefits, Objectives, Target Audience
2. Defining Personal Data
3. Personal Data Operating Environment
4. Protecting Personal Data
5. Data Privacy Regulatory Frameworks
6. GDPR Compliance System
7. Further Resources

This presentation is complemented with the following:
GDPR Seminar ? Supplementary Notes.

Veröffentlicht in: Business
  • DOWNLOAD FULL eBOOK INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookeBOOK Crime, eeBOOK Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Hi everyone, You can download the full document here:https://flevy.com/browse/business-document/gdpr-compliance-seminar-3794
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Gehören Sie zu den Ersten, denen das gefällt!

GDPR Compliance Seminar

  1. 1. John Kyriazoglou – Complying with GDPR requirements
  2. 2. UNIT 1. INTRODUCTION This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  3. 3. 1. Introduction: GDPR Seminar Context (2) • >>>Unit 1 (‘Introduction’) establishes the background for this seminar. • >>>Unit 2 (‘Defining Personal Data’) ‘tells you what are personal data’ and supports you to reach Milestone 1 ‘Understand PD’. • >>>Unit 3 (‘Personal Data Operating Environment’) ‘describes to you the business operating environment within which personal data are processed and supports you to reach Milestone 2 ‘Understand PD operating environment’.). This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  4. 4. 1. Introduction: GDPR Seminar Prologue Information and communications technologies and other information networks have made it possible to collect, store and access information from anywhere in the world. However, while these technologies make it easier and cheaper to collect, link and use large quantities of information, they also often make these activities undetectable to individuals and make it more difficult for individuals to retain a measure of control over their personal information. Therefore, to protect the personal data and the privacy of individuals, several regulatory regimes have been enacted and various systems and practices to comply with the requirements of these are developed and implemented by companies and organizations all over the world. The regulatory regime for the European Union is the GDPR. This seminar describes its requirements and presents various measures enterprises can take to comply with these and avoid sanctions and fines. * For more details, see also: Supplementary Notes, NOTE 1: Synopsis of seminar This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  5. 5. 1. Introduction: GDPR Seminar Benefits The benefits of this seminar include the following: 1. Comply better with the stringent requirements of GDPR 2. Avoid potential regulatory fines and sanctions 3. Minimize potential losses and related non-compliance damages (turn-over reduction, bad advertising, legal actions, corporate brand and related image damages, market share loss, etc. 4. Improve the security and integrity of personal and other corporate data, such as financial, production, etc. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  6. 6. UNIT 2. DEFINING PERSONAL DATA This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  7. 7. 2. Defining Personal Data • Definition of personal data • ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  8. 8. 2. Defining Personal Data • Examples of personal data (3) Employees’ salaries and human resources files Financial profile Gender GPS position GPS trajectories Home address IP address Location derived from telecommunications systems Medical history Name National identifiers (e.g., passport number) Personal e-mail address Personal identification numbers (PIN) or passwordsThis document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  9. 9. 2. Defining Personal Data • Definition: Sensitive personal data (2) • ‘biometric data’(GDPR Article 4 (14)) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  10. 10. 2. Defining Personal Data • Other Relevant Definitions: Consent, Personal data breach • ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her • ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  11. 11. 2. Defining Personal Data • Where do personal data exist (2)? • Central IT Applications • Office Applications (Word, Excel, Electronic Documents) • Call center • CCTV • Digital Media and smart devices • Social Media (Facebook, LinkedIn, Instagram, YouTube, etc.) This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  12. 12. 3. Personal Data Operating Environment (PDOE) Milestone: This Unit (‘Personal Data Operating Environment’) ‘describes to you the business operating environment within which personal data are processed’ and supports you to reach Milestone 2 ‘Understand PD operating environment’ in your Personal Data Protection Journey to GDPR Compliance . Purpose: The main purpose of this unit is to inform the privacy readers of the main components of data governance and the main concepts and types of data privacy that permeate the personal data operating environment and the personal data processed by companies and organizations. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  13. 13. 3.1. PDOE: Data Governance Aspects Definition of Data: Data is the plural of ‘datum’. From Latin (‘given’) and from Greek ‘dido’=to give (‘didomi’, ancient Greek). Data are the lowest level of abstraction of unprocessed (‘raw’) data, like characters, images, numbers and representations of physical quantities and facts, results of measurements, etc., from which information and knowledge are derived. Data are processed by computerized systems, stored in paper (manual) systems and automated systems, computer-based devices and digital storage media, and transmitted to all authorized users/networks/computer programs/systems, etc., for further actions, etc. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  14. 14. 3.1. PDOE: Data Governance Aspects • Data Life Cycle: 7 Phases 1. Data Capture: The act of creating data values that do not yet exist and have never existed within the company. It is made up of: 1.1. Data Acquisition: the ingestion of already existing data that has been produced by an organization outside the enterprise 1.2. Data Entry: the creation of new data values for the enterprise by human operators or devices that generate data for the enterprise 1.3. Signal Reception: the capture of data created by devices, typically important in control systems, but becoming more important for information systems with the Internet of ThingsThis document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  15. 15. 3.1. PDOE: Data Governance Aspects Data Governance Controls • Specific Data Governance controls, such as: • Chief Data Officer, • Corporate Data Librarian, • Corporate Data Steward, • Corporate Data Custodian, • Data Quality Officer, etc. • are included in my book ‘Data Governance Controls, bookboon.com, 2019’ • https://bookboon.com/en/data-governance-controls-ebook This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  16. 16. 3.2. PDOE: Data Privacy Concepts Privacy, in present terms, is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. The boundaries and content of what is considered private differ among cultures and individuals, but share common themes. When something is private to a person, it usually means that something is inherently special or sensitive to them. The domain of privacy partially overlaps with security, confidentiality and integrity, which can include the concepts of appropriate use and access, as well as protection of information and the provision of rights to the persons whose data is processed by a company or organization.This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  17. 17. 3.2. PDOE: Data Privacy Concepts Privacy and technology (2): Secondly, the issue of protecting the privacy of Internet users, which is almost unregulated, is even a larger issue. Now, huge databases are created that contain information and personal data about the lives, interests and preferences of individuals all over the globe, without, in many cases, the consent of the individuals concerned . Thus, controlling and protecting the data and the privacy of all people becomes the highest priority.This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  18. 18. UNIT 4: Protecting Personal Data This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  19. 19. 4. Protecting Personal Data: Questions Question 1: Who had or still has the right to access personal data held by an organization? Question 2: Are the personal data secure and accurate? Question 3: Is the information and personal data collected and disseminated without the knowledge and consent of the persons concerned? Question 4: Could personal data be used to discriminate against different types or abuse of other fundamental rights? This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  20. 20. 4. Reasons for protecting personal data There are five main reasons for protecting the organization's personal data: • Regulatory compliance: avoid non-compliance fines and sanctions by regulatory authority • Financial and other losses • Continuous (24 hours / 7 days) operating mode • Taking correct management decisions • Productivity of workers * For more details, see also: Supplementary Notes, NOTE 4: Reasons for protecting personal dataThis document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  21. 21. • Are ‘Cookies’ considered personal data? • YES:…..NO:…I do not know:…. • Are ‘metadata’ of text documents, images, videos, spreadsheets, folders, software, etc., considered personal data? • YES:…..NO:… I do not know:….. 4. Data Protection Quiz This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  22. 22. • During the backup process, the server’s hard disk that contained personal data was destroyed. Data was lost. • What kind of incident is this: • 1. Hardware malfunction: NO. • 2. Technical vulnerability: NO. • 3. Server data integrity violation: NO. • 4. Breach of personal data (data breach): YES. • 5. Infringement of IT security: NO. • 6. Backup software malfunction: NO 4. Data Protection Quiz This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  23. 23. • The Marketing Manager of Company ‘XXXX’ has collected 2000 business cards with the details of the different people and has them: • Case 1. In his desk drawer in an unorganized way. • Question 1. Are these considered personal data? • YES: ... ..NO: ... • Case 2. Organized in a computer file. • Question 1 . Are these considered personal data? • YES: ... ..NO: ... 4. Data Protection Quiz This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  24. 24. UNIT 5: Data Privacy Regulatory Frameworks This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  25. 25. UNIT 5.1: Data Privacy Frameworks This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  26. 26. 5.1. Data Privacy Frameworks OECD Privacy Principles (3): 4. Use Limitation Principle Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: a) with the consent of the data subject; or b) by the authority of law. 5. Security Safeguards Principle Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. 6. Openness Principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  27. 27. 5.1. Data Privacy Frameworks Asian-Pacific Countries: APEC Privacy Framework APEC Privacy Framework: information privacy principles I. Preventing Harm II. Notice III. Collection Limitation V. Choice IV. Uses of Personal Information VI. Integrity of Personal Information VII. Security Safeguards VIII. Access and Correction * For more details, see also: Supplementary Notes, NOTE 5 APEC Privacy Framework: information privacy principlesThis document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  28. 28. 5.1. Data Privacy Frameworks European Union: General Data Protection Regulation (GDPR)-2 The penalties for infringement are severe, and the buck stops with the board. Company Directors and Boards should be at the forefront of driving compliance with the GDPR. Boards and company directors should be preparing for the GDPR right now and examines how they can go further to embrace the opportunity to deliver outstanding customer value.This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  29. 29. 5.2.1 GDPR: Overview • The implementation of the General Data Protection Regulation, a European Regulation ((EE) 2016/679), as of 25 May 2018, represents the biggest change in privacy legislation in a generation. • By bringing the balance of power back to the individual, the legislation marks a paradigm shift in the way that organisations must process and protect customer information. • The penalties for infringement are severe, and the buck stops with the board. Company Directors and Boards should be at the forefront of driving compliance with the GDPR. • Although ostensibly an EU regulation, the borderless nature of global commerce means that the GDPR will act as a catalyst for global change in how we manage the rights of the individual. 85 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  30. 30. 5.2.3. GDPR: Security vs. Privacy Privacy Perspective - Focus: Individual Person • Goal: Protection of the personal data of the individual person even within the authorized perimeter • Modus Operandi: Right • Controls: Privacy policies and procedures to cover the personal data and the privacy of each individual person in all locations, offices, sites, files, applications, manual files and computerized data bases. • Examples: Encryption, Pseudonymization, Privacy policy, Lawful Processing, Accountability, Consent Policy, Breach Notification, Masking of fields 88 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  31. 31. 5.2.4. GDPR Critical Articles • Articles 83-84: Fines and Sanctions • Article 85 - Processing and freedom of expression and information • Article 86 - Processing and public access to official documents • Article 88 - Treatment in the context of employment • Article 89 - Safeguards and derogations concerning processing for archiving purposes in the public interest or for purposes of scientific or historical research or statistical purposes • Article 90 - Obligations of confidentiality 91 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  32. 32. 5.2.5. GDPR Data Protection Principles • Data Protection Principle 2 (article 5, 1b): (‘purpose limitation’); • Personal data shall be: • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); • Compliance Measures (Examples): • Data may be collected for specific purposes • Data may be processed in a manner compatible with these purposes • No secondary use of data This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  33. 33. 5.2.5. GDPR Data Protection Principles • Data Protection Principle 5 (article 5, 1e): (‘storage limitation’); • Personal data shall be: • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); • Compliance Measures (Examples): • Data no longer required should be removed (except for state law, crimes, fraud investigation) • Data retention policy • Data retention review policy • Retention period in manual files and computerized data bases This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  34. 34. 5.2.6. GDPR Consent • Articles 7, 8 • Clear consent: Everyone has to give their consent to the processing of their personal data. • Indicative Compliance Measures • 1. Ensure that your company has implemented a consent policy for all personal data collection purposes. • 2. Get a signed statement of consent from all interested parties. • 3. Ensure that the consent form is consistent and accessible to all methods of collecting, transferring and processing data This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  35. 35. 5.2.7. GDPR Rights of Subjects • Article 16 - Right to rectification • The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. • Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  36. 36. 5.2.7. GDPR Rights of Subjects • Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing • The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. • The controller shall inform the data subject about those recipients if the data subject requests it.This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  37. 37. 5.2.7. GDPR Rights of Subjects • Article 22 - Automated individual decision-making, including profiling • 1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. • 2. Paragraph 1 shall not apply if the decision: • (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; • (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or • (c) is based on the data subject's explicit consent, etc. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  38. 38. • Article 32 - Security of processing • 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: • (a) the pseudonymisation and encryption of personal data; • (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; • (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; • (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 5.2.9. Security of Processing This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  39. 39. • Article 33 - Notification of a personal data breach to the supervisory authority • 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. • 2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach, etc. 5.2.10. Data Breach This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  40. 40. •Examples of Compliance Measures: • 1. Design, implement and maintain appropriate technical and organizational security measures • 2. Maintain a personal data breach reaction plan. • 3. Establish a data breach notification process to inform the authority, data subjects and partners. 5.2.10. Data Breach This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  41. 41. • Article 13 - Information to be provided where personal data are collected from the data subject • 1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: • (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; • (b) the contact details of the data protection officer, where applicable; • (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, etc.; 5.2.12. Informing Data Subjects This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  42. 42. • Examples of Compliance Measures: • 1. Develop, implement, and maintain a data privacy notice detailing your company's privacy practices in accordance with the relevant GDPR articles (Article 13 and Article 14). • 1.1. Any company that maintains a website must publish a privacy statement on the site. • 1.2. A link to the privacy statement should be visible on every page of this site under a shared term (such as "Data Protection", "Privacy Policy"). 5.2.12. Informing Data Subjects This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  43. 43. • The processor shall • Not engage another processor without prior specific or general written authorization of the controller • Only perform processing that is governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller • Only process personal data on documented instructions from the controller • Assist the controller in taking appropriate measures • At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing • Make available to the controller all information necessary to demonstrate compliance • Controller and processor • Shall both cooperate with the supervisory authority and support the data protection officer (DPO) 5.2.13c. Processor and Controller This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  44. 44. Tasks (primary and obligatory) • Inform and advise the controller or the processor and the employees who carry out processing of their obligations • Monitor compliance with the GDPR (and any additional related national legislation) • Provide advice where requested, with regard to the data protection impact assessment and other data protection issues • Cooperate with the supervisory authority • Act as the contact point for the supervisory authority 5.2.14. Data Protection Officer This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  45. 45. • The recitals of the GDPR (51 references: 9, 15, 28, 35, 38, 39, 51, 65, 71, 74-77, 80, 81, 83-86, 89-91, 94, 96, 98, 116 , 122, 144), and • the GDPR articles (24 references: 23-25, 27, 30, 32, 33-36, 39, 49, 57, 70) • do not clearly define the risk, but the recitals provide examples of damages and guide the controllers to assess the likelihood of such damage, taking into account the nature of the threat. 5.2.15. GDPR and Risks This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  46. 46. • Business Obligations • 1. Disclosure of a violation to the data protection authority • 2. Foreign controllers shall appoint an EU representative • 3. Controllers must apply (and choose processors that apply) "technical and organizational measures" appropriate to the risk of data breaches 5.2.15. GDPR and Risks This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  47. 47. • DPIA Criteria: The following criteria should be considered: • Criterion 1: Evaluation or scoring • Criterion 2: Automated-decision making with legal or similar significant effect • Criterion 3: Systematic monitoring • Criterion 4: Sensitive data • Criterion 5: Data processed on a large scale • Criterion 6: Datasets that have been matched or combined 5.2.15. GDPR and DPIA This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  48. 48. • Data protection by design and by default • ‘In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.’ (GDPR) • Some examples of measures: minimizing processing, pseudonymization, creating transparency with regard of processing • By design and by default; • ‘Privacy by design advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.’ • When developing and designing products, services and applications, the principles of data protection by design and by default should be observed. 5.2.16. Designing Data Protection This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  49. 49. • Data Protection Policy • Objective: The primary objective of this Data Protection Policy is to provide general guidelines for the data privacy issues related to the collection, use, processing, disclosure, monitoring, etc., of the personal data of an enterprise. • Contents (partial) • 1. Purpose of this policy • 2. Commitment • 3. Opportunity to decline • 4. Personal information collection • 5. Use of information • 7. Protection of information • An example of this policy as well as other related plans and controls, etc., are included in my books listed in the last unit (Further Resources). 5.2.16. Designing Data Protection This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  50. 50. • Fines of up to €20,000,000 / 4% of turnover • Violation of: • The basic principles and consent, Articles 5, 6, 7 and 9 • The data subjects’ rights, Articles 12 to 22 • The transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49 • Any obligations pursuant to Member State law adopted under Chapter IX (specific processing situations) • Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority (Article 58). 5.2.17. GDPR Fines and Sanctions This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  51. 51. 5.2.20. GDPR Critical Obligations • 1. Respect for and complying with the basic principles of personal data protection (GDPR Article 5) • First Principle (Article 5, 1.a): "Legitimacy, Objectivity and Transparency" • Second Principle (Article 5, 1.b): “Purpose Limitation" • Third Principle (Article 5, 1.c): “Minimize Data" 151 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  52. 52. 5.2.20. GDPR Critical Obligations • 3. Informing Data Subjects • Obligation to notify natural persons of their rights within a reasonable time • 4. Personal data security • Obligation to maintain uninterrupted security of the personal data of customers, consumers, users, etc. throughout the lifetime of personal data processed by the company. 154 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  53. 53. 5.2.20. GDPR Critical Obligations • 9. Processing personal data by a third party • Obligation to entrust processing only to those entities that have adequate safeguards to implement the appropriate measures to ensure compliance with the GDPR and to conclude a contract or a binding act governing the relationship. The article also limits the ability of processors to subcontract without the consent of the data controller and ensure the same safeguards apply in this arrangement. 157 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  54. 54. 6. GDPR Compliance System • Milestone: This Unit (‘GDPR Compliance System’) ‘tells you how to do it’ in terms of what measures (methods, policies, procedures, technology, etc.) to use to achieve the proper level of data protection according to GDPR and supports you to reach Milestone 5 ‘Comply better with GDPR’ in your Personal Data Protection Journey to GDPR Compliance . 160 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  55. 55. 6. GDPR Compliance System • Phase 1: Data Protection and Privacy Preparation • Phase 2: Data Protection and Privacy Organization • Phase 3: Data Protection and Privacy Development and Implementation • Phase 4: Data Protection and Privacy Governance • Phase 5: Data Protection and Privacy Evaluation and Improvement) 163 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  56. 56. 6. GDPR Compliance System • Phase 3: Data Protection and Privacy Development and Implementation • Step DI#1: Develop and implement Data Protection and Privacy Strategies, Plans and Policies • Step DI#2: Implement Approval Procedure for Processing Personal Data • Step DI#3: Register Databases of Personal Data • Step DI#4: Develop and Implement a Cross-Border Data Transfer System • Step DI#5: Execute DP &P integration activities • Step DI#6: Execute DP &P training plan • Step DI#7: Implement Data Security controls 166 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  57. 57. 6. GDPR Compliance System • Phase 5: Data Protection and Privacy Evaluation and Improvement) • Step RI#4: Execute Data Protection Impact Assessments • Step RI#5: Resolve Data Protection and Privacy (DP&P) Risks • Step RI#6: Report DP&P Risk Analysis and Results • Step RI#7: Monitor Data Privacy Laws and Regulations • For more details, see Supplementary Notes, NOTE 12: GDPR Compliance Methodology 169 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  58. 58. 6. GDPR Compliance System • GDPR Compliance Products • 1. Personal Data Inventory • 2. Training Material • 3. GDPR Compliance Report (Findings, Recommendations) • 4. Upgraded contract, forms, policies and procedures • 5. GDPR Implementation Action Pln • For more details, see Supplementary Notes, NOTE 12: GDPR Compliance Methodology 172 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  59. 59. 7.1. Main GDPR Documents • The EU General Data Protection Regulation (GDPR) • http://eur-lex.europa.eu/eli/reg/2016/679/oj • http://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:32016R0679& from=EN • http://eur-lex.europa.eu/legal- content/EL/TXT/PDF/?uri=CELEX:32016R0679& from=EN 175 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  60. 60. 7.3. Books by John Kyriazoglou • 1. ‘IT Strategic & Operational Controls’, 2010, IT Governance, U.K. • https://www.itgovernance.co.uk/shop/product/it-strategic-and- operational-controls • 2. ‘IT-Business Alignment’ (Parts 1 & 2), 2012, bookboon.com. • http://bookboon.com/en/it-business-alignment-part-i-ebook • http://bookboon.com/en/it-business-alignment-part-ii-ebook • 3. ‘Controles estratégicos y operacionales de la TI’ (in Spanish), 2013, IT Governance • https://www.itgovernanceusa.com/shop/product/controles- estratgicos-y-operacionales-de-la-ti • 4. ‘Controles De La Seguridad De La Ti’ (in Spanish), 2015, bookboon.com. • http://bookboon.com/es/controles-de-la-seguridad-de-la-ti-ebook 178 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  61. 61. 7.4. GDPR Tools by John Kyriazoglou • https://flevy.com/browse/slideshow/eu-gdpr-quick-readiness-action-plan-2896 • https://flevy.com/browse/business-document/data-protection-impact-assessment- eu-gdpr-requirement-2543 • https://flevy.com/browse/business-document/gdpr-personal-data-inventory- register-3415 • https://flevy.com/browse/business-document/gdpr-breach-register-3426 • https://flevy.com/browse/business-document/gdpr-data-security-controls-3425 • https://flevy.com/browse/business-document/gdpr-audit-tool-01data- confidentiality-assessment-3419 • https://flevy.com/browse/business-document/gdpr-audit-tool02hr-cultural- controls-assessment-3420 • https://flevy.com/browse/business-document/gdpr-audit-tool03data-privacy- principles-assessment-3421 • https://flevy.com/browse/business-document/iso-27001-27002-security-audit- questionnaire-2622 181 This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/gdpr-compliance-seminar-3794
  62. 62. 1 Flevy (www.flevy.com) is the marketplace for premium documents. These documents can range from Business Frameworks to Financial Models to PowerPoint Templates. Flevy was founded under the principle that companies waste a lot of time and money recreating the same foundational business documents. Our vision is for Flevy to become a comprehensive knowledge base of business documents. All organizations, from startups to large enterprises, can use Flevy— whether it's to jumpstart projects, to find reference or comparison materials, or just to learn. Contact Us Please contact us with any questions you may have about our company. • General Inquiries support@flevy.com • Media/PR press@flevy.com • Billing billing@flevy.com

×