The deadline for GDPR compliance is May 25, 2018.
Find out if you fall under its scope and what's required for your business if you do.
Learn about the requirements for:
-Data Controllers
-Data Processors
-Data Protection Officers
Read the blog post here for additional details, appendices and more:
https://termsfeed.com/blog/gdpr-compliance-plan/
2. The General Data Protection Regulation
(GDPR) has an enforcement deadline of
May 25, 2018.
This new legal framework out of the EU is
the most comprehensive and expansive
digital privacy law in the world at this
time.
3. The GDPR has two main goals:
To unify the data privacy laws
throughout the EU, and1
Strengthen the rights of European
citizens in regard to protecting their
own personal information
2
5. If you do, you must comply
with the GDPR.
If you don’t, you still may fall
under its scope...
Do you offer
products or services
to citizens of the EU?
6. If you do, you must comply
with the GDPR.
Do you collect
information from
citizens of the EU?
7. The GDPR covers two categories of
protected information: Personal and
Sensitive Personal Information.
Depending on what type of information
you collect, you may be held to stricter
requirements.
8. The definition of personal information
remains the same as previous legislation
(The Data Protection Directive) (1).
It’s anything that can be used to identify
a person, such as:
Email addresses
First/last names
Photos/videos
Mailing/shipping addresses
Online identifiers such as an IP
address, cookie string, etc.
(1) Link to https://termsfeed.com/blog/uk-dpa/
Personal
Information
9. Personal
Information
If you collect this type of information
you’ll have to:
Comply with all six privacy principles
(2) of the GDPR, and
Satisfy at least one of the processing
conditions (3)
(2) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A
(3) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_B
10. The second category of protected
information under the GDPR is Sensitive
Personal information.
This includes information that could
damage or harm someone if it were to
be made public.
Sensitive
Personal
Information
11. Examples of sensitive personal
information include the following:
Health data
Political views
Sexual orientation
Religious/philosophical beliefs
Sensitive
Personal
Information
12. Sensitive
Personal
Information
If you collect this type of information you’ll
have to:
Comply with all six privacy principles
(4) of the GDPR, and
Satisfy at least one of the sensitive
data processing conditions (5)
(4) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A
(5) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_C
14. While the old Data Protection Directive
only applied to data controllers, the GDPR
expands to include data processors as
well.
15. Data controllers are the parties
that decide what personal data your
business will collect, and why.
Data processors are the parties that
maintain and process the data,
either according to instructions from
the data controller or according to its
own standards.
17. A website collects email addresses to provide
a company newsletter. The website uses
MailChimp as its email newsletter service.
Since the website chooses to collect the email
addresses, the website is the data collector.
MailChimp is the data processor because it
takes the data collected by the website, stores
it and processes it to send newsletters on
behalf of the website.
Example 1:A website collects email addresses to provide
a company newsletter. The website uses
MailChimp as its email newsletter service.
Since the website chooses to collect the email
addresses, the website is the data collector.
MailChimp is the data processor because it
takes the data collected by the website, stores
it and processes it to send newsletters on
behalf of the website.
Example 1:
18. A mobile app shows ads to its users via a
third party such as AdSense or Mixpanel.
Here, the app collects user data and then
implements a third party to use this data for
the purpose the third party provides
– showing ads.
In this example, the mobile app is the data
collector because it collects user data.
AdSense or Mixpanel is the data processor
because it processes the data through its
own service in order to show ads on the app.
Example 2:
19. A website has a signup and login form
that collects email addresses to create
an account. The website doesn’t use any
third party services, and there are no
other parties involved.
In this example, the website would be
both the data collector and the data
processor because it is in charge of
both collecting and securing/processing
the data it collects through its signup
process.
Example 3:
20. A website simply provides users with
information and content. It has no
signup capabilities, no login form and
doesn’t send out newsletters. It’s a
presentational website such as Wix.
However, this website does use Google
Analytics.
Example 4:
21. In this example, Google Analytics would
be both the data collector and the data
processor.
This is because the website itself doesn’t
collect any information, but rather gives
Google Analytics the OK to collect what it
needs to function. Google Analytics will
then collect and process the information
on its own.
Example 4:
22. Remember:
Data controllers are the companies that
collect the data, while data processors
are the companies that store, process
and protect the data.
24. Data controllers have had a number of
legal requirements since the 1990’s with
the introduction of the Data Protection
Directive.
The GDPR has added additional
requirements.
25. Data controllers are required to conduct
Digital Privacy Impact Assessments (6),
or DPIAs.
DPIAs evaluate the risks that come with
processing personal data, as well as the
effects on the security of the data.
Data Privacy
Impact Assessments
(DPIAs)
(6) Link to https://gdpr-info.eu/art-35-gdpr/
26. Data controllers now have increased
consent requirements.
If personal data is collected, you’ll
need clear, unambiguous consent
before collecting the data.
Increased
Consent
Requirements
27. For example, if you collect email addresses,
include a sign-up button and have users
manually enter their email addresses.
This shows clear and unambiguous consent
to share their email addresses with you.
Increased
Consent
Requirements
28. If sensitive personal data is collected, you’ll
need explicit consent before collecting the
data.
For example, include a checkbox that users
have to click to show they consent. Include
text near the checkbox that clearly states
what a user is consenting to by clicking the
box.
Increased
Consent
Requirements
30. Remember that pre-ticked checkboxes,
silence or inactivity can no longer be
used to show consent to collect user
data under the GDPR.
31. Data controllers need to respect the
8 rights of users under the GDPR:
The right to be informed
The right to access their data
The right of rectification of their data
The right to erasure of their data
The right to restrict or block data processing
The right to make their data portable
The right to object to having their data processed
The right to be protected from automated decision
making processes
The
8 Rights of Users
1.
2.
3.
4.
5.
6.
7.
8.
33. Privacy by Design (7) has always been
recommended, but the GDPR makes it
a requirement.
There are 7 key principles that you’ll
need to make efforts to satisfy.
Privacy by Design
(7) Link to https://termsfeed.com/blog/privacy-design/
34. Privacy by Design
Proactive to prevent
breach rather than
just react to it.
Embed privacy
into design
Avoid false
dichotomies, like
privacy vs. revenue
Full lifecycle
protection
Be transparent
with users
Taking a
user-centric
approach
Valuing privacy is
the default setting
36. Keep
Written Records
Data processors must now keep
written records about any data
processing activities they carry
out on behalf of a data controller.
37. Have Appropriate
Security Measures
in PlaceData processors must have technical
and organizational measures in place
that ensure security and data integrity
for any data they process.
38. Notification
of Breaches
If a breach of data ever occurs, data
processors must now notify the data
controller without undue delay.
40. Data Protection
Officer Requirements
Not everyone will need a Data Protection
Officer (8) (DPO).
You’ll only need one if you meet any one
of the following:
Process sensitive data or data relating to
criminal convictions and offenses
Are a public authority such as a university,
state school or publicly funded entity
Regularly monitor or process data on a
large scale from EU citizens
(8) Link to https://termsfeed.com/blog/data-protection-officer-dpo/
41. Data Protection
Officer Requirements
If you do need a DPO, you can use an
in-house expert or hire a consultant.
DPOs are responsible for:
Educating data controllers and
processors about GDPR obligations
Monitoring GDPR compliance
Advising upper management about
changes that need to happen
Helping with informed decision-making
regarding data security issues
43. The GDPR applies to you if your business
does any one of the following:
Offers products or services to EU citizens
Collects or uses personal or sensitive
personal information from EU citizens
(data controllers)
Stores or processes personal or sensitive
personal information from EU citizens
(data processors)
44. Data controllers are responsible for:
Conducting Data Privacy Impact
Assessments (DPIAs)
Getting appropriate consent before
collecting data
Respecting the 8 rights of users
Implementing Privacy by Design
45. Data processors are responsible for:
Keeping written records or data
processing activities
Having appropriate security
measures in place
Notifying data controllers of
breaches
46. Your DPO (if required) is responsible for:
Educating data controllers and processors
about GDPR obligations and how to fulfill
them
Monitoring GDPR compliance
Advising upper management of changes
that need to be made
Helping make informed decisions regarding
data security and compliance