SlideShare ist ein Scribd-Unternehmen logo

GDPR Compliance Plan

termsfeed
termsfeed

The deadline for GDPR compliance is May 25, 2018. Find out if you fall under its scope and what's required for your business if you do. Learn about the requirements for: -Data Controllers -Data Processors -Data Protection Officers Read the blog post here for additional details, appendices and more: https://termsfeed.com/blog/gdpr-compliance-plan/

Recht
1 von 47
Downloaden Sie, um offline zu lesen
GDPR Compliance Plan
The General Data Protection Regulation (GDPR) has an enforcement deadline of May 25, 2018. This new legal framework out of the EU is the most comprehensive and expansive digital privacy law in the world at this time.
The GDPR has two main goals: To unify the data privacy laws throughout the EU, and1 Strengthen the rights of European citizens in regard to protecting their own personal information 2
Here’s how to determine if the GDPR applies to you.
If you do, you must comply with the GDPR. If you don’t, you still may fall under its scope... Do you offer products or services to citizens of the EU?
If you do, you must comply with the GDPR. Do you collect information from citizens of the EU?
The GDPR covers two categories of protected information: Personal and Sensitive Personal Information. Depending on what type of information you collect, you may be held to stricter requirements.
The definition of personal information remains the same as previous legislation (The Data Protection Directive) (1). It’s anything that can be used to identify a person, such as: Email addresses First/last names Photos/videos Mailing/shipping addresses Online identifiers such as an IP address, cookie string, etc. (1) Link to https://termsfeed.com/blog/uk-dpa/ Personal Information
Personal Information If you collect this type of information you’ll have to: Comply with all six privacy principles (2) of the GDPR, and Satisfy at least one of the processing conditions (3) (2) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A (3) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_B
The second category of protected information under the GDPR is Sensitive Personal information. This includes information that could damage or harm someone if it were to be made public. Sensitive Personal Information
Examples of sensitive personal information include the following: Health data Political views Sexual orientation Religious/philosophical beliefs Sensitive Personal Information
Sensitive Personal Information If you collect this type of information you’ll have to: Comply with all six privacy principles (4) of the GDPR, and Satisfy at least one of the sensitive data processing conditions (5) (4) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A (5) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_C
Data Controllers versus Data Processors
While the old Data Protection Directive only applied to data controllers, the GDPR expands to include data processors as well.
Data controllers are the parties that decide what personal data your business will collect, and why. Data processors are the parties that maintain and process the data, either according to instructions from the data controller or according to its own standards.
Consider the following four examples to see this distinction in real-life situations.
A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website. Example 1:A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website. Example 1:
A mobile app shows ads to its users via a third party such as AdSense or Mixpanel. Here, the app collects user data and then implements a third party to use this data for the purpose the third party provides – showing ads. In this example, the mobile app is the data collector because it collects user data. AdSense or Mixpanel is the data processor because it processes the data through its own service in order to show ads on the app. Example 2:
A website has a signup and login form that collects email addresses to create an account. The website doesn’t use any third party services, and there are no other parties involved. In this example, the website would be both the data collector and the data processor because it is in charge of both collecting and securing/processing the data it collects through its signup process. Example 3:
A website simply provides users with information and content. It has no signup capabilities, no login form and doesn’t send out newsletters. It’s a presentational website such as Wix. However, this website does use Google Analytics. Example 4:
In this example, Google Analytics would be both the data collector and the data processor. This is because the website itself doesn’t collect any information, but rather gives Google Analytics the OK to collect what it needs to function. Google Analytics will then collect and process the information on its own. Example 4:
Remember: Data controllers are the companies that collect the data, while data processors are the companies that store, process and protect the data.
Requirements for GDPR Data Controllers
Data controllers have had a number of legal requirements since the 1990’s with the introduction of the Data Protection Directive. The GDPR has added additional requirements.
Data controllers are required to conduct Digital Privacy Impact Assessments (6), or DPIAs. DPIAs evaluate the risks that come with processing personal data, as well as the effects on the security of the data. Data Privacy Impact Assessments (DPIAs) (6) Link to https://gdpr-info.eu/art-35-gdpr/
Data controllers now have increased consent requirements. If personal data is collected, you’ll need clear, unambiguous consent before collecting the data. Increased Consent Requirements
For example, if you collect email addresses, include a sign-up button and have users manually enter their email addresses. This shows clear and unambiguous consent to share their email addresses with you. Increased Consent Requirements
If sensitive personal data is collected, you’ll need explicit consent before collecting the data. For example, include a checkbox that users have to click to show they consent. Include text near the checkbox that clearly states what a user is consenting to by clicking the box. Increased Consent Requirements
Increased Consent Requirements
Remember that pre-ticked checkboxes, silence or inactivity can no longer be used to show consent to collect user data under the GDPR.
Data controllers need to respect the 8 rights of users under the GDPR: The right to be informed The right to access their data The right of rectification of their data The right to erasure of their data The right to restrict or block data processing The right to make their data portable The right to object to having their data processed The right to be protected from automated decision making processes The 8 Rights of Users 1. 2. 3. 4. 5. 6. 7. 8.
Privacy by Design
Privacy by Design (7) has always been recommended, but the GDPR makes it a requirement. There are 7 key principles that you’ll need to make efforts to satisfy. Privacy by Design (7) Link to https://termsfeed.com/blog/privacy-design/
Privacy by Design Proactive to prevent breach rather than just react to it. Embed privacy into design Avoid false dichotomies, like privacy vs. revenue Full lifecycle protection Be transparent with users Taking a user-centric approach Valuing privacy is the default setting
Requirements for GDPR Data Processors
Keep Written Records Data processors must now keep written records about any data processing activities they carry out on behalf of a data controller.
Have Appropriate Security Measures in PlaceData processors must have technical and organizational measures in place that ensure security and data integrity for any data they process.
Notification of Breaches If a breach of data ever occurs, data processors must now notify the data controller without undue delay.
Data Protection Officer Requirements
Data Protection Officer Requirements Not everyone will need a Data Protection Officer (8) (DPO). You’ll only need one if you meet any one of the following: Process sensitive data or data relating to criminal convictions and offenses Are a public authority such as a university, state school or publicly funded entity Regularly monitor or process data on a large scale from EU citizens (8) Link to https://termsfeed.com/blog/data-protection-officer-dpo/
Data Protection Officer Requirements If you do need a DPO, you can use an in-house expert or hire a consultant. DPOs are responsible for: Educating data controllers and processors about GDPR obligations Monitoring GDPR compliance Advising upper management about changes that need to happen Helping with informed decision-making regarding data security issues
Summary
The GDPR applies to you if your business does any one of the following: Offers products or services to EU citizens Collects or uses personal or sensitive personal information from EU citizens (data controllers) Stores or processes personal or sensitive personal information from EU citizens (data processors)
Data controllers are responsible for: Conducting Data Privacy Impact Assessments (DPIAs) Getting appropriate consent before collecting data Respecting the 8 rights of users Implementing Privacy by Design
Data processors are responsible for: Keeping written records or data processing activities Having appropriate security measures in place Notifying data controllers of breaches
Your DPO (if required) is responsible for: Educating data controllers and processors about GDPR obligations and how to fulfill them Monitoring GDPR compliance Advising upper management of changes that need to be made Helping make informed decisions regarding data security and compliance
GDPR Compliance Plan

Empfohlen

The CCPA vs CalOPPA
The CCPA vs CalOPPAThe CCPA vs CalOPPA
The CCPA vs CalOPPAtermsfeed
 
Privacy Policy if No Personal Data is Collected
Privacy Policy if No Personal Data is CollectedPrivacy Policy if No Personal Data is Collected
Privacy Policy if No Personal Data is Collectedtermsfeed
 
Don’t hide your Terms and Conditions
Don’t hide your Terms and Conditions Don’t hide your Terms and Conditions
Don’t hide your Terms and Conditionstermsfeed
 
9 Privacy Clauses for a Landing Page
9 Privacy Clauses for a Landing Page9 Privacy Clauses for a Landing Page
9 Privacy Clauses for a Landing Pagetermsfeed
 
GDPR Privacy Policy
GDPR Privacy PolicyGDPR Privacy Policy
GDPR Privacy Policytermsfeed
 
4 Ways to Notify Your Users About Cookies
4 Ways to Notify Your Users About Cookies4 Ways to Notify Your Users About Cookies
4 Ways to Notify Your Users About Cookiestermsfeed
 
EU Cookies Directive
EU Cookies DirectiveEU Cookies Directive
EU Cookies Directivetermsfeed
 
Privacy Policy FAQ
Privacy Policy FAQPrivacy Policy FAQ
Privacy Policy FAQtermsfeed
 

Empfohlen

The CCPA vs CalOPPA
The CCPA vs CalOPPAThe CCPA vs CalOPPA
The CCPA vs CalOPPAtermsfeed
 
Privacy Policy if No Personal Data is Collected
Privacy Policy if No Personal Data is CollectedPrivacy Policy if No Personal Data is Collected
Privacy Policy if No Personal Data is Collectedtermsfeed
 
Don’t hide your Terms and Conditions
Don’t hide your Terms and Conditions Don’t hide your Terms and Conditions
Don’t hide your Terms and Conditionstermsfeed
 
9 Privacy Clauses for a Landing Page
9 Privacy Clauses for a Landing Page9 Privacy Clauses for a Landing Page
9 Privacy Clauses for a Landing Pagetermsfeed
 
GDPR Privacy Policy
GDPR Privacy PolicyGDPR Privacy Policy
GDPR Privacy Policytermsfeed
 
4 Ways to Notify Your Users About Cookies
4 Ways to Notify Your Users About Cookies4 Ways to Notify Your Users About Cookies
4 Ways to Notify Your Users About Cookiestermsfeed
 
EU Cookies Directive
EU Cookies DirectiveEU Cookies Directive
EU Cookies Directivetermsfeed
 
Privacy Policy FAQ
Privacy Policy FAQPrivacy Policy FAQ
Privacy Policy FAQtermsfeed
 
FTC Disclosures
FTC DisclosuresFTC Disclosures
FTC Disclosurestermsfeed
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988termsfeed
 
The Digital Millennium Copyright Act
The Digital Millennium Copyright ActThe Digital Millennium Copyright Act
The Digital Millennium Copyright Acttermsfeed
 
Disclosures for Affiliate Links
Disclosures for Affiliate LinksDisclosures for Affiliate Links
Disclosures for Affiliate Linkstermsfeed
 
Disclaimer Examples
Disclaimer ExamplesDisclaimer Examples
Disclaimer Examplestermsfeed
 
How to Comply with CAN-SPAM
How to Comply with CAN-SPAMHow to Comply with CAN-SPAM
How to Comply with CAN-SPAMtermsfeed
 
Privacy Policy for Flurry
Privacy Policy for FlurryPrivacy Policy for Flurry
Privacy Policy for Flurrytermsfeed
 
Termination Clause in Terms and Conditions
Termination Clause in Terms and ConditionsTermination Clause in Terms and Conditions
Termination Clause in Terms and Conditionstermsfeed
 
Click to Accept: A Method of Clickwrap
Click to Accept: A Method of ClickwrapClick to Accept: A Method of Clickwrap
Click to Accept: A Method of Clickwraptermsfeed
 
Privacy Policy for Wistia
Privacy Policy for WistiaPrivacy Policy for Wistia
Privacy Policy for Wistiatermsfeed
 
The "Your California Privacy Rights" clause
The "Your California Privacy Rights" clauseThe "Your California Privacy Rights" clause
The "Your California Privacy Rights" clausetermsfeed
 
Terms & Conditions Generator
Terms & Conditions GeneratorTerms & Conditions Generator
Terms & Conditions Generatortermsfeed
 
Terms & Conditions FAQ
Terms & Conditions FAQTerms & Conditions FAQ
Terms & Conditions FAQtermsfeed
 
Software License Agreements
Software License AgreementsSoftware License Agreements
Software License Agreementstermsfeed
 
Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)termsfeed
 
Rules for Sweepstakes
Rules for SweepstakesRules for Sweepstakes
Rules for Sweepstakestermsfeed
 
Definition of a Cookies Policy
Definition of a Cookies PolicyDefinition of a Cookies Policy
Definition of a Cookies Policytermsfeed
 
What are Return & Refund Policies
What are Return & Refund PoliciesWhat are Return & Refund Policies
What are Return & Refund Policiestermsfeed
 
Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)termsfeed
 
What's an Opt-Out Policy
What's an Opt-Out PolicyWhat's an Opt-Out Policy
What's an Opt-Out Policytermsfeed
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxRRR Chambers
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书E LSS
 

Weitere ähnliche Inhalte

Mehr von termsfeed

FTC Disclosures
FTC DisclosuresFTC Disclosures
FTC Disclosurestermsfeed
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988termsfeed
 
The Digital Millennium Copyright Act
The Digital Millennium Copyright ActThe Digital Millennium Copyright Act
The Digital Millennium Copyright Acttermsfeed
 
Disclosures for Affiliate Links
Disclosures for Affiliate LinksDisclosures for Affiliate Links
Disclosures for Affiliate Linkstermsfeed
 
Disclaimer Examples
Disclaimer ExamplesDisclaimer Examples
Disclaimer Examplestermsfeed
 
How to Comply with CAN-SPAM
How to Comply with CAN-SPAMHow to Comply with CAN-SPAM
How to Comply with CAN-SPAMtermsfeed
 
Privacy Policy for Flurry
Privacy Policy for FlurryPrivacy Policy for Flurry
Privacy Policy for Flurrytermsfeed
 
Termination Clause in Terms and Conditions
Termination Clause in Terms and ConditionsTermination Clause in Terms and Conditions
Termination Clause in Terms and Conditionstermsfeed
 
Click to Accept: A Method of Clickwrap
Click to Accept: A Method of ClickwrapClick to Accept: A Method of Clickwrap
Click to Accept: A Method of Clickwraptermsfeed
 
Privacy Policy for Wistia
Privacy Policy for WistiaPrivacy Policy for Wistia
Privacy Policy for Wistiatermsfeed
 
The "Your California Privacy Rights" clause
The "Your California Privacy Rights" clauseThe "Your California Privacy Rights" clause
The "Your California Privacy Rights" clausetermsfeed
 
Terms & Conditions Generator
Terms & Conditions GeneratorTerms & Conditions Generator
Terms & Conditions Generatortermsfeed
 
Terms & Conditions FAQ
Terms & Conditions FAQTerms & Conditions FAQ
Terms & Conditions FAQtermsfeed
 
Software License Agreements
Software License AgreementsSoftware License Agreements
Software License Agreementstermsfeed
 
Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)termsfeed
 
Rules for Sweepstakes
Rules for SweepstakesRules for Sweepstakes
Rules for Sweepstakestermsfeed
 
Definition of a Cookies Policy
Definition of a Cookies PolicyDefinition of a Cookies Policy
Definition of a Cookies Policytermsfeed
 
What are Return & Refund Policies
What are Return & Refund PoliciesWhat are Return & Refund Policies
What are Return & Refund Policiestermsfeed
 
Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)termsfeed
 
What's an Opt-Out Policy
What's an Opt-Out PolicyWhat's an Opt-Out Policy
What's an Opt-Out Policytermsfeed
 

Mehr von termsfeed (20)

FTC Disclosures
FTC DisclosuresFTC Disclosures
FTC Disclosures
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988
 
The Digital Millennium Copyright Act
The Digital Millennium Copyright ActThe Digital Millennium Copyright Act
The Digital Millennium Copyright Act
 
Disclosures for Affiliate Links
Disclosures for Affiliate LinksDisclosures for Affiliate Links
Disclosures for Affiliate Links
 
Disclaimer Examples
Disclaimer ExamplesDisclaimer Examples
Disclaimer Examples
 
How to Comply with CAN-SPAM
How to Comply with CAN-SPAMHow to Comply with CAN-SPAM
How to Comply with CAN-SPAM
 
Privacy Policy for Flurry
Privacy Policy for FlurryPrivacy Policy for Flurry
Privacy Policy for Flurry
 
Termination Clause in Terms and Conditions
Termination Clause in Terms and ConditionsTermination Clause in Terms and Conditions
Termination Clause in Terms and Conditions
 
Click to Accept: A Method of Clickwrap
Click to Accept: A Method of ClickwrapClick to Accept: A Method of Clickwrap
Click to Accept: A Method of Clickwrap
 
Privacy Policy for Wistia
Privacy Policy for WistiaPrivacy Policy for Wistia
Privacy Policy for Wistia
 
The "Your California Privacy Rights" clause
The "Your California Privacy Rights" clauseThe "Your California Privacy Rights" clause
The "Your California Privacy Rights" clause
 
Terms & Conditions Generator
Terms & Conditions GeneratorTerms & Conditions Generator
Terms & Conditions Generator
 
Terms & Conditions FAQ
Terms & Conditions FAQTerms & Conditions FAQ
Terms & Conditions FAQ
 
Software License Agreements
Software License AgreementsSoftware License Agreements
Software License Agreements
 
Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)
 
Rules for Sweepstakes
Rules for SweepstakesRules for Sweepstakes
Rules for Sweepstakes
 
Definition of a Cookies Policy
Definition of a Cookies PolicyDefinition of a Cookies Policy
Definition of a Cookies Policy
 
What are Return & Refund Policies
What are Return & Refund PoliciesWhat are Return & Refund Policies
What are Return & Refund Policies
 
Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)
 
What's an Opt-Out Policy
What's an Opt-Out PolicyWhat's an Opt-Out Policy
What's an Opt-Out Policy
 

Kürzlich hochgeladen

PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxRRR Chambers
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书E LSS
 
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxIBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxRRR Chambers
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhaiShashankKumar441258
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm2020000445musaib
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsAurora Consulting
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书SS A
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteDeepikaK245113
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxSHIVAMGUPTA671167
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书E LSS
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptzainabbkhaleeq123
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfPoojaGadiya1
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...James Watkins, III JD CFP®
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxRRR Chambers
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubham Wadhonkar
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书SS A
 
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual serviceanilsa9823
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourBhavikaGholap1
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxnyabatejosphat1
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxca2or2tx
 

Kürzlich hochgeladen (20)

PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
 
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxIBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statute
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labour
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptx
 

GDPR Compliance Plan

  • 2. The General Data Protection Regulation (GDPR) has an enforcement deadline of May 25, 2018. This new legal framework out of the EU is the most comprehensive and expansive digital privacy law in the world at this time.
  • 3. The GDPR has two main goals: To unify the data privacy laws throughout the EU, and1 Strengthen the rights of European citizens in regard to protecting their own personal information 2
  • 4. Here’s how to determine if the GDPR applies to you.
  • 5. If you do, you must comply with the GDPR. If you don’t, you still may fall under its scope... Do you offer products or services to citizens of the EU?
  • 6. If you do, you must comply with the GDPR. Do you collect information from citizens of the EU?
  • 7. The GDPR covers two categories of protected information: Personal and Sensitive Personal Information. Depending on what type of information you collect, you may be held to stricter requirements.
  • 8. The definition of personal information remains the same as previous legislation (The Data Protection Directive) (1). It’s anything that can be used to identify a person, such as: Email addresses First/last names Photos/videos Mailing/shipping addresses Online identifiers such as an IP address, cookie string, etc. (1) Link to https://termsfeed.com/blog/uk-dpa/ Personal Information
  • 9. Personal Information If you collect this type of information you’ll have to: Comply with all six privacy principles (2) of the GDPR, and Satisfy at least one of the processing conditions (3) (2) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A (3) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_B
  • 10. The second category of protected information under the GDPR is Sensitive Personal information. This includes information that could damage or harm someone if it were to be made public. Sensitive Personal Information
  • 11. Examples of sensitive personal information include the following: Health data Political views Sexual orientation Religious/philosophical beliefs Sensitive Personal Information
  • 12. Sensitive Personal Information If you collect this type of information you’ll have to: Comply with all six privacy principles (4) of the GDPR, and Satisfy at least one of the sensitive data processing conditions (5) (4) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A (5) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_C
  • 14. While the old Data Protection Directive only applied to data controllers, the GDPR expands to include data processors as well.
  • 15. Data controllers are the parties that decide what personal data your business will collect, and why. Data processors are the parties that maintain and process the data, either according to instructions from the data controller or according to its own standards.
  • 16. Consider the following four examples to see this distinction in real-life situations.
  • 17. A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website. Example 1:A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website. Example 1:
  • 18. A mobile app shows ads to its users via a third party such as AdSense or Mixpanel. Here, the app collects user data and then implements a third party to use this data for the purpose the third party provides – showing ads. In this example, the mobile app is the data collector because it collects user data. AdSense or Mixpanel is the data processor because it processes the data through its own service in order to show ads on the app. Example 2:
  • 19. A website has a signup and login form that collects email addresses to create an account. The website doesn’t use any third party services, and there are no other parties involved. In this example, the website would be both the data collector and the data processor because it is in charge of both collecting and securing/processing the data it collects through its signup process. Example 3:
  • 20. A website simply provides users with information and content. It has no signup capabilities, no login form and doesn’t send out newsletters. It’s a presentational website such as Wix. However, this website does use Google Analytics. Example 4:
  • 21. In this example, Google Analytics would be both the data collector and the data processor. This is because the website itself doesn’t collect any information, but rather gives Google Analytics the OK to collect what it needs to function. Google Analytics will then collect and process the information on its own. Example 4:
  • 22. Remember: Data controllers are the companies that collect the data, while data processors are the companies that store, process and protect the data.
  • 24. Data controllers have had a number of legal requirements since the 1990’s with the introduction of the Data Protection Directive. The GDPR has added additional requirements.
  • 25. Data controllers are required to conduct Digital Privacy Impact Assessments (6), or DPIAs. DPIAs evaluate the risks that come with processing personal data, as well as the effects on the security of the data. Data Privacy Impact Assessments (DPIAs) (6) Link to https://gdpr-info.eu/art-35-gdpr/
  • 26. Data controllers now have increased consent requirements. If personal data is collected, you’ll need clear, unambiguous consent before collecting the data. Increased Consent Requirements
  • 27. For example, if you collect email addresses, include a sign-up button and have users manually enter their email addresses. This shows clear and unambiguous consent to share their email addresses with you. Increased Consent Requirements
  • 28. If sensitive personal data is collected, you’ll need explicit consent before collecting the data. For example, include a checkbox that users have to click to show they consent. Include text near the checkbox that clearly states what a user is consenting to by clicking the box. Increased Consent Requirements
  • 30. Remember that pre-ticked checkboxes, silence or inactivity can no longer be used to show consent to collect user data under the GDPR.
  • 31. Data controllers need to respect the 8 rights of users under the GDPR: The right to be informed The right to access their data The right of rectification of their data The right to erasure of their data The right to restrict or block data processing The right to make their data portable The right to object to having their data processed The right to be protected from automated decision making processes The 8 Rights of Users 1. 2. 3. 4. 5. 6. 7. 8.
  • 33. Privacy by Design (7) has always been recommended, but the GDPR makes it a requirement. There are 7 key principles that you’ll need to make efforts to satisfy. Privacy by Design (7) Link to https://termsfeed.com/blog/privacy-design/
  • 34. Privacy by Design Proactive to prevent breach rather than just react to it. Embed privacy into design Avoid false dichotomies, like privacy vs. revenue Full lifecycle protection Be transparent with users Taking a user-centric approach Valuing privacy is the default setting
  • 36. Keep Written Records Data processors must now keep written records about any data processing activities they carry out on behalf of a data controller.
  • 37. Have Appropriate Security Measures in PlaceData processors must have technical and organizational measures in place that ensure security and data integrity for any data they process.
  • 38. Notification of Breaches If a breach of data ever occurs, data processors must now notify the data controller without undue delay.
  • 40. Data Protection Officer Requirements Not everyone will need a Data Protection Officer (8) (DPO). You’ll only need one if you meet any one of the following: Process sensitive data or data relating to criminal convictions and offenses Are a public authority such as a university, state school or publicly funded entity Regularly monitor or process data on a large scale from EU citizens (8) Link to https://termsfeed.com/blog/data-protection-officer-dpo/
  • 41. Data Protection Officer Requirements If you do need a DPO, you can use an in-house expert or hire a consultant. DPOs are responsible for: Educating data controllers and processors about GDPR obligations Monitoring GDPR compliance Advising upper management about changes that need to happen Helping with informed decision-making regarding data security issues
  • 43. The GDPR applies to you if your business does any one of the following: Offers products or services to EU citizens Collects or uses personal or sensitive personal information from EU citizens (data controllers) Stores or processes personal or sensitive personal information from EU citizens (data processors)
  • 44. Data controllers are responsible for: Conducting Data Privacy Impact Assessments (DPIAs) Getting appropriate consent before collecting data Respecting the 8 rights of users Implementing Privacy by Design
  • 45. Data processors are responsible for: Keeping written records or data processing activities Having appropriate security measures in place Notifying data controllers of breaches
  • 46. Your DPO (if required) is responsible for: Educating data controllers and processors about GDPR obligations and how to fulfill them Monitoring GDPR compliance Advising upper management of changes that need to be made Helping make informed decisions regarding data security and compliance