SlideShare uma empresa Scribd logo

GDPR Compliance Plan

termsfeed
termsfeed

The deadline for GDPR compliance is May 25, 2018. Find out if you fall under its scope and what's required for your business if you do. Learn about the requirements for: -Data Controllers -Data Processors -Data Protection Officers Read the blog post here for additional details, appendices and more: https://termsfeed.com/blog/gdpr-compliance-plan/

Direito
1 de 47
Baixar para ler offline
GDPR Compliance Plan
The General Data Protection Regulation (GDPR) has an enforcement deadline of May 25, 2018. This new legal framework out of the EU is the most comprehensive and expansive digital privacy law in the world at this time.
The GDPR has two main goals: To unify the data privacy laws throughout the EU, and1 Strengthen the rights of European citizens in regard to protecting their own personal information 2
Here’s how to determine if the GDPR applies to you.
If you do, you must comply with the GDPR. If you don’t, you still may fall under its scope... Do you offer products or services to citizens of the EU?
If you do, you must comply with the GDPR. Do you collect information from citizens of the EU?
The GDPR covers two categories of protected information: Personal and Sensitive Personal Information. Depending on what type of information you collect, you may be held to stricter requirements.
The definition of personal information remains the same as previous legislation (The Data Protection Directive) (1). It’s anything that can be used to identify a person, such as: Email addresses First/last names Photos/videos Mailing/shipping addresses Online identifiers such as an IP address, cookie string, etc. (1) Link to https://termsfeed.com/blog/uk-dpa/ Personal Information
Personal Information If you collect this type of information you’ll have to: Comply with all six privacy principles (2) of the GDPR, and Satisfy at least one of the processing conditions (3) (2) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A (3) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_B
The second category of protected information under the GDPR is Sensitive Personal information. This includes information that could damage or harm someone if it were to be made public. Sensitive Personal Information
Examples of sensitive personal information include the following: Health data Political views Sexual orientation Religious/philosophical beliefs Sensitive Personal Information
Sensitive Personal Information If you collect this type of information you’ll have to: Comply with all six privacy principles (4) of the GDPR, and Satisfy at least one of the sensitive data processing conditions (5) (4) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A (5) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_C
Data Controllers versus Data Processors
While the old Data Protection Directive only applied to data controllers, the GDPR expands to include data processors as well.
Data controllers are the parties that decide what personal data your business will collect, and why. Data processors are the parties that maintain and process the data, either according to instructions from the data controller or according to its own standards.
Consider the following four examples to see this distinction in real-life situations.
A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website. Example 1:A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website. Example 1:
A mobile app shows ads to its users via a third party such as AdSense or Mixpanel. Here, the app collects user data and then implements a third party to use this data for the purpose the third party provides – showing ads. In this example, the mobile app is the data collector because it collects user data. AdSense or Mixpanel is the data processor because it processes the data through its own service in order to show ads on the app. Example 2:
A website has a signup and login form that collects email addresses to create an account. The website doesn’t use any third party services, and there are no other parties involved. In this example, the website would be both the data collector and the data processor because it is in charge of both collecting and securing/processing the data it collects through its signup process. Example 3:
A website simply provides users with information and content. It has no signup capabilities, no login form and doesn’t send out newsletters. It’s a presentational website such as Wix. However, this website does use Google Analytics. Example 4:
In this example, Google Analytics would be both the data collector and the data processor. This is because the website itself doesn’t collect any information, but rather gives Google Analytics the OK to collect what it needs to function. Google Analytics will then collect and process the information on its own. Example 4:
Remember: Data controllers are the companies that collect the data, while data processors are the companies that store, process and protect the data.
Requirements for GDPR Data Controllers
Data controllers have had a number of legal requirements since the 1990’s with the introduction of the Data Protection Directive. The GDPR has added additional requirements.
Data controllers are required to conduct Digital Privacy Impact Assessments (6), or DPIAs. DPIAs evaluate the risks that come with processing personal data, as well as the effects on the security of the data. Data Privacy Impact Assessments (DPIAs) (6) Link to https://gdpr-info.eu/art-35-gdpr/
Data controllers now have increased consent requirements. If personal data is collected, you’ll need clear, unambiguous consent before collecting the data. Increased Consent Requirements
For example, if you collect email addresses, include a sign-up button and have users manually enter their email addresses. This shows clear and unambiguous consent to share their email addresses with you. Increased Consent Requirements
If sensitive personal data is collected, you’ll need explicit consent before collecting the data. For example, include a checkbox that users have to click to show they consent. Include text near the checkbox that clearly states what a user is consenting to by clicking the box. Increased Consent Requirements
Increased Consent Requirements
Remember that pre-ticked checkboxes, silence or inactivity can no longer be used to show consent to collect user data under the GDPR.
Data controllers need to respect the 8 rights of users under the GDPR: The right to be informed The right to access their data The right of rectification of their data The right to erasure of their data The right to restrict or block data processing The right to make their data portable The right to object to having their data processed The right to be protected from automated decision making processes The 8 Rights of Users 1. 2. 3. 4. 5. 6. 7. 8.
Privacy by Design
Privacy by Design (7) has always been recommended, but the GDPR makes it a requirement. There are 7 key principles that you’ll need to make efforts to satisfy. Privacy by Design (7) Link to https://termsfeed.com/blog/privacy-design/
Privacy by Design Proactive to prevent breach rather than just react to it. Embed privacy into design Avoid false dichotomies, like privacy vs. revenue Full lifecycle protection Be transparent with users Taking a user-centric approach Valuing privacy is the default setting
Requirements for GDPR Data Processors
Keep Written Records Data processors must now keep written records about any data processing activities they carry out on behalf of a data controller.
Have Appropriate Security Measures in PlaceData processors must have technical and organizational measures in place that ensure security and data integrity for any data they process.
Notification of Breaches If a breach of data ever occurs, data processors must now notify the data controller without undue delay.
Data Protection Officer Requirements
Data Protection Officer Requirements Not everyone will need a Data Protection Officer (8) (DPO). You’ll only need one if you meet any one of the following: Process sensitive data or data relating to criminal convictions and offenses Are a public authority such as a university, state school or publicly funded entity Regularly monitor or process data on a large scale from EU citizens (8) Link to https://termsfeed.com/blog/data-protection-officer-dpo/
Data Protection Officer Requirements If you do need a DPO, you can use an in-house expert or hire a consultant. DPOs are responsible for: Educating data controllers and processors about GDPR obligations Monitoring GDPR compliance Advising upper management about changes that need to happen Helping with informed decision-making regarding data security issues
Summary
The GDPR applies to you if your business does any one of the following: Offers products or services to EU citizens Collects or uses personal or sensitive personal information from EU citizens (data controllers) Stores or processes personal or sensitive personal information from EU citizens (data processors)
Data controllers are responsible for: Conducting Data Privacy Impact Assessments (DPIAs) Getting appropriate consent before collecting data Respecting the 8 rights of users Implementing Privacy by Design
Data processors are responsible for: Keeping written records or data processing activities Having appropriate security measures in place Notifying data controllers of breaches
Your DPO (if required) is responsible for: Educating data controllers and processors about GDPR obligations and how to fulfill them Monitoring GDPR compliance Advising upper management of changes that need to be made Helping make informed decisions regarding data security and compliance
GDPR Compliance Plan

Recomendados

The CCPA vs CalOPPA
The CCPA vs CalOPPAThe CCPA vs CalOPPA
The CCPA vs CalOPPAtermsfeed
 
Privacy Policy if No Personal Data is Collected
Privacy Policy if No Personal Data is CollectedPrivacy Policy if No Personal Data is Collected
Privacy Policy if No Personal Data is Collectedtermsfeed
 
Don’t hide your Terms and Conditions
Don’t hide your Terms and Conditions Don’t hide your Terms and Conditions
Don’t hide your Terms and Conditionstermsfeed
 
9 Privacy Clauses for a Landing Page
9 Privacy Clauses for a Landing Page9 Privacy Clauses for a Landing Page
9 Privacy Clauses for a Landing Pagetermsfeed
 
GDPR Privacy Policy
GDPR Privacy PolicyGDPR Privacy Policy
GDPR Privacy Policytermsfeed
 
4 Ways to Notify Your Users About Cookies
4 Ways to Notify Your Users About Cookies4 Ways to Notify Your Users About Cookies
4 Ways to Notify Your Users About Cookiestermsfeed
 
EU Cookies Directive
EU Cookies DirectiveEU Cookies Directive
EU Cookies Directivetermsfeed
 
Privacy Policy FAQ
Privacy Policy FAQPrivacy Policy FAQ
Privacy Policy FAQtermsfeed
 

Recomendados

The CCPA vs CalOPPA
The CCPA vs CalOPPAThe CCPA vs CalOPPA
The CCPA vs CalOPPAtermsfeed
 
Privacy Policy if No Personal Data is Collected
Privacy Policy if No Personal Data is CollectedPrivacy Policy if No Personal Data is Collected
Privacy Policy if No Personal Data is Collectedtermsfeed
 
Don’t hide your Terms and Conditions
Don’t hide your Terms and Conditions Don’t hide your Terms and Conditions
Don’t hide your Terms and Conditionstermsfeed
 
9 Privacy Clauses for a Landing Page
9 Privacy Clauses for a Landing Page9 Privacy Clauses for a Landing Page
9 Privacy Clauses for a Landing Pagetermsfeed
 
GDPR Privacy Policy
GDPR Privacy PolicyGDPR Privacy Policy
GDPR Privacy Policytermsfeed
 
4 Ways to Notify Your Users About Cookies
4 Ways to Notify Your Users About Cookies4 Ways to Notify Your Users About Cookies
4 Ways to Notify Your Users About Cookiestermsfeed
 
EU Cookies Directive
EU Cookies DirectiveEU Cookies Directive
EU Cookies Directivetermsfeed
 
Privacy Policy FAQ
Privacy Policy FAQPrivacy Policy FAQ
Privacy Policy FAQtermsfeed
 
FTC Disclosures
FTC DisclosuresFTC Disclosures
FTC Disclosurestermsfeed
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988termsfeed
 
The Digital Millennium Copyright Act
The Digital Millennium Copyright ActThe Digital Millennium Copyright Act
The Digital Millennium Copyright Acttermsfeed
 
Disclosures for Affiliate Links
Disclosures for Affiliate LinksDisclosures for Affiliate Links
Disclosures for Affiliate Linkstermsfeed
 
Disclaimer Examples
Disclaimer ExamplesDisclaimer Examples
Disclaimer Examplestermsfeed
 
How to Comply with CAN-SPAM
How to Comply with CAN-SPAMHow to Comply with CAN-SPAM
How to Comply with CAN-SPAMtermsfeed
 
Privacy Policy for Flurry
Privacy Policy for FlurryPrivacy Policy for Flurry
Privacy Policy for Flurrytermsfeed
 
Termination Clause in Terms and Conditions
Termination Clause in Terms and ConditionsTermination Clause in Terms and Conditions
Termination Clause in Terms and Conditionstermsfeed
 
Click to Accept: A Method of Clickwrap
Click to Accept: A Method of ClickwrapClick to Accept: A Method of Clickwrap
Click to Accept: A Method of Clickwraptermsfeed
 
Privacy Policy for Wistia
Privacy Policy for WistiaPrivacy Policy for Wistia
Privacy Policy for Wistiatermsfeed
 
The "Your California Privacy Rights" clause
The "Your California Privacy Rights" clauseThe "Your California Privacy Rights" clause
The "Your California Privacy Rights" clausetermsfeed
 
Terms & Conditions Generator
Terms & Conditions GeneratorTerms & Conditions Generator
Terms & Conditions Generatortermsfeed
 
Terms & Conditions FAQ
Terms & Conditions FAQTerms & Conditions FAQ
Terms & Conditions FAQtermsfeed
 
Software License Agreements
Software License AgreementsSoftware License Agreements
Software License Agreementstermsfeed
 
Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)termsfeed
 
Rules for Sweepstakes
Rules for SweepstakesRules for Sweepstakes
Rules for Sweepstakestermsfeed
 
Definition of a Cookies Policy
Definition of a Cookies PolicyDefinition of a Cookies Policy
Definition of a Cookies Policytermsfeed
 
What are Return & Refund Policies
What are Return & Refund PoliciesWhat are Return & Refund Policies
What are Return & Refund Policiestermsfeed
 
Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)termsfeed
 
What's an Opt-Out Policy
What's an Opt-Out PolicyWhat's an Opt-Out Policy
What's an Opt-Out Policytermsfeed
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 

Mais conteúdo relacionado

Mais de termsfeed

FTC Disclosures
FTC DisclosuresFTC Disclosures
FTC Disclosurestermsfeed
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988termsfeed
 
The Digital Millennium Copyright Act
The Digital Millennium Copyright ActThe Digital Millennium Copyright Act
The Digital Millennium Copyright Acttermsfeed
 
Disclosures for Affiliate Links
Disclosures for Affiliate LinksDisclosures for Affiliate Links
Disclosures for Affiliate Linkstermsfeed
 
Disclaimer Examples
Disclaimer ExamplesDisclaimer Examples
Disclaimer Examplestermsfeed
 
How to Comply with CAN-SPAM
How to Comply with CAN-SPAMHow to Comply with CAN-SPAM
How to Comply with CAN-SPAMtermsfeed
 
Privacy Policy for Flurry
Privacy Policy for FlurryPrivacy Policy for Flurry
Privacy Policy for Flurrytermsfeed
 
Termination Clause in Terms and Conditions
Termination Clause in Terms and ConditionsTermination Clause in Terms and Conditions
Termination Clause in Terms and Conditionstermsfeed
 
Click to Accept: A Method of Clickwrap
Click to Accept: A Method of ClickwrapClick to Accept: A Method of Clickwrap
Click to Accept: A Method of Clickwraptermsfeed
 
Privacy Policy for Wistia
Privacy Policy for WistiaPrivacy Policy for Wistia
Privacy Policy for Wistiatermsfeed
 
The "Your California Privacy Rights" clause
The "Your California Privacy Rights" clauseThe "Your California Privacy Rights" clause
The "Your California Privacy Rights" clausetermsfeed
 
Terms & Conditions Generator
Terms & Conditions GeneratorTerms & Conditions Generator
Terms & Conditions Generatortermsfeed
 
Terms & Conditions FAQ
Terms & Conditions FAQTerms & Conditions FAQ
Terms & Conditions FAQtermsfeed
 
Software License Agreements
Software License AgreementsSoftware License Agreements
Software License Agreementstermsfeed
 
Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)termsfeed
 
Rules for Sweepstakes
Rules for SweepstakesRules for Sweepstakes
Rules for Sweepstakestermsfeed
 
Definition of a Cookies Policy
Definition of a Cookies PolicyDefinition of a Cookies Policy
Definition of a Cookies Policytermsfeed
 
What are Return & Refund Policies
What are Return & Refund PoliciesWhat are Return & Refund Policies
What are Return & Refund Policiestermsfeed
 
Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)termsfeed
 
What's an Opt-Out Policy
What's an Opt-Out PolicyWhat's an Opt-Out Policy
What's an Opt-Out Policytermsfeed
 

Mais de termsfeed (20)

FTC Disclosures
FTC DisclosuresFTC Disclosures
FTC Disclosures
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988
 
The Digital Millennium Copyright Act
The Digital Millennium Copyright ActThe Digital Millennium Copyright Act
The Digital Millennium Copyright Act
 
Disclosures for Affiliate Links
Disclosures for Affiliate LinksDisclosures for Affiliate Links
Disclosures for Affiliate Links
 
Disclaimer Examples
Disclaimer ExamplesDisclaimer Examples
Disclaimer Examples
 
How to Comply with CAN-SPAM
How to Comply with CAN-SPAMHow to Comply with CAN-SPAM
How to Comply with CAN-SPAM
 
Privacy Policy for Flurry
Privacy Policy for FlurryPrivacy Policy for Flurry
Privacy Policy for Flurry
 
Termination Clause in Terms and Conditions
Termination Clause in Terms and ConditionsTermination Clause in Terms and Conditions
Termination Clause in Terms and Conditions
 
Click to Accept: A Method of Clickwrap
Click to Accept: A Method of ClickwrapClick to Accept: A Method of Clickwrap
Click to Accept: A Method of Clickwrap
 
Privacy Policy for Wistia
Privacy Policy for WistiaPrivacy Policy for Wistia
Privacy Policy for Wistia
 
The "Your California Privacy Rights" clause
The "Your California Privacy Rights" clauseThe "Your California Privacy Rights" clause
The "Your California Privacy Rights" clause
 
Terms & Conditions Generator
Terms & Conditions GeneratorTerms & Conditions Generator
Terms & Conditions Generator
 
Terms & Conditions FAQ
Terms & Conditions FAQTerms & Conditions FAQ
Terms & Conditions FAQ
 
Software License Agreements
Software License AgreementsSoftware License Agreements
Software License Agreements
 
Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)
 
Rules for Sweepstakes
Rules for SweepstakesRules for Sweepstakes
Rules for Sweepstakes
 
Definition of a Cookies Policy
Definition of a Cookies PolicyDefinition of a Cookies Policy
Definition of a Cookies Policy
 
What are Return & Refund Policies
What are Return & Refund PoliciesWhat are Return & Refund Policies
What are Return & Refund Policies
 
Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)
 
What's an Opt-Out Policy
What's an Opt-Out PolicyWhat's an Opt-Out Policy
What's an Opt-Out Policy
 

Último

Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Rich Bergeron
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its historyprasannamurthy6
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseRich Bergeron
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxBharatMunjal4
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxgurcharnsinghlecengl
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxjennysansano2
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsRich Bergeron
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxJFSB1
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in SalesMelvinPernez2
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasBrandy Austin
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklosbeduinpower135
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSRoshniSingh312153
 

Último (20)

Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its history
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptx
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docx
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptx
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in Texas
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklos
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
 

GDPR Compliance Plan

  • 2. The General Data Protection Regulation (GDPR) has an enforcement deadline of May 25, 2018. This new legal framework out of the EU is the most comprehensive and expansive digital privacy law in the world at this time.
  • 3. The GDPR has two main goals: To unify the data privacy laws throughout the EU, and1 Strengthen the rights of European citizens in regard to protecting their own personal information 2
  • 4. Here’s how to determine if the GDPR applies to you.
  • 5. If you do, you must comply with the GDPR. If you don’t, you still may fall under its scope... Do you offer products or services to citizens of the EU?
  • 6. If you do, you must comply with the GDPR. Do you collect information from citizens of the EU?
  • 7. The GDPR covers two categories of protected information: Personal and Sensitive Personal Information. Depending on what type of information you collect, you may be held to stricter requirements.
  • 8. The definition of personal information remains the same as previous legislation (The Data Protection Directive) (1). It’s anything that can be used to identify a person, such as: Email addresses First/last names Photos/videos Mailing/shipping addresses Online identifiers such as an IP address, cookie string, etc. (1) Link to https://termsfeed.com/blog/uk-dpa/ Personal Information
  • 9. Personal Information If you collect this type of information you’ll have to: Comply with all six privacy principles (2) of the GDPR, and Satisfy at least one of the processing conditions (3) (2) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A (3) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_B
  • 10. The second category of protected information under the GDPR is Sensitive Personal information. This includes information that could damage or harm someone if it were to be made public. Sensitive Personal Information
  • 11. Examples of sensitive personal information include the following: Health data Political views Sexual orientation Religious/philosophical beliefs Sensitive Personal Information
  • 12. Sensitive Personal Information If you collect this type of information you’ll have to: Comply with all six privacy principles (4) of the GDPR, and Satisfy at least one of the sensitive data processing conditions (5) (4) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_A (5) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Appendix_C
  • 14. While the old Data Protection Directive only applied to data controllers, the GDPR expands to include data processors as well.
  • 15. Data controllers are the parties that decide what personal data your business will collect, and why. Data processors are the parties that maintain and process the data, either according to instructions from the data controller or according to its own standards.
  • 16. Consider the following four examples to see this distinction in real-life situations.
  • 17. A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website. Example 1:A website collects email addresses to provide a company newsletter. The website uses MailChimp as its email newsletter service. Since the website chooses to collect the email addresses, the website is the data collector. MailChimp is the data processor because it takes the data collected by the website, stores it and processes it to send newsletters on behalf of the website. Example 1:
  • 18. A mobile app shows ads to its users via a third party such as AdSense or Mixpanel. Here, the app collects user data and then implements a third party to use this data for the purpose the third party provides – showing ads. In this example, the mobile app is the data collector because it collects user data. AdSense or Mixpanel is the data processor because it processes the data through its own service in order to show ads on the app. Example 2:
  • 19. A website has a signup and login form that collects email addresses to create an account. The website doesn’t use any third party services, and there are no other parties involved. In this example, the website would be both the data collector and the data processor because it is in charge of both collecting and securing/processing the data it collects through its signup process. Example 3:
  • 20. A website simply provides users with information and content. It has no signup capabilities, no login form and doesn’t send out newsletters. It’s a presentational website such as Wix. However, this website does use Google Analytics. Example 4:
  • 21. In this example, Google Analytics would be both the data collector and the data processor. This is because the website itself doesn’t collect any information, but rather gives Google Analytics the OK to collect what it needs to function. Google Analytics will then collect and process the information on its own. Example 4:
  • 22. Remember: Data controllers are the companies that collect the data, while data processors are the companies that store, process and protect the data.
  • 24. Data controllers have had a number of legal requirements since the 1990’s with the introduction of the Data Protection Directive. The GDPR has added additional requirements.
  • 25. Data controllers are required to conduct Digital Privacy Impact Assessments (6), or DPIAs. DPIAs evaluate the risks that come with processing personal data, as well as the effects on the security of the data. Data Privacy Impact Assessments (DPIAs) (6) Link to https://gdpr-info.eu/art-35-gdpr/
  • 26. Data controllers now have increased consent requirements. If personal data is collected, you’ll need clear, unambiguous consent before collecting the data. Increased Consent Requirements
  • 27. For example, if you collect email addresses, include a sign-up button and have users manually enter their email addresses. This shows clear and unambiguous consent to share their email addresses with you. Increased Consent Requirements
  • 28. If sensitive personal data is collected, you’ll need explicit consent before collecting the data. For example, include a checkbox that users have to click to show they consent. Include text near the checkbox that clearly states what a user is consenting to by clicking the box. Increased Consent Requirements
  • 30. Remember that pre-ticked checkboxes, silence or inactivity can no longer be used to show consent to collect user data under the GDPR.
  • 31. Data controllers need to respect the 8 rights of users under the GDPR: The right to be informed The right to access their data The right of rectification of their data The right to erasure of their data The right to restrict or block data processing The right to make their data portable The right to object to having their data processed The right to be protected from automated decision making processes The 8 Rights of Users 1. 2. 3. 4. 5. 6. 7. 8.
  • 33. Privacy by Design (7) has always been recommended, but the GDPR makes it a requirement. There are 7 key principles that you’ll need to make efforts to satisfy. Privacy by Design (7) Link to https://termsfeed.com/blog/privacy-design/
  • 34. Privacy by Design Proactive to prevent breach rather than just react to it. Embed privacy into design Avoid false dichotomies, like privacy vs. revenue Full lifecycle protection Be transparent with users Taking a user-centric approach Valuing privacy is the default setting
  • 36. Keep Written Records Data processors must now keep written records about any data processing activities they carry out on behalf of a data controller.
  • 37. Have Appropriate Security Measures in PlaceData processors must have technical and organizational measures in place that ensure security and data integrity for any data they process.
  • 38. Notification of Breaches If a breach of data ever occurs, data processors must now notify the data controller without undue delay.
  • 40. Data Protection Officer Requirements Not everyone will need a Data Protection Officer (8) (DPO). You’ll only need one if you meet any one of the following: Process sensitive data or data relating to criminal convictions and offenses Are a public authority such as a university, state school or publicly funded entity Regularly monitor or process data on a large scale from EU citizens (8) Link to https://termsfeed.com/blog/data-protection-officer-dpo/
  • 41. Data Protection Officer Requirements If you do need a DPO, you can use an in-house expert or hire a consultant. DPOs are responsible for: Educating data controllers and processors about GDPR obligations Monitoring GDPR compliance Advising upper management about changes that need to happen Helping with informed decision-making regarding data security issues
  • 43. The GDPR applies to you if your business does any one of the following: Offers products or services to EU citizens Collects or uses personal or sensitive personal information from EU citizens (data controllers) Stores or processes personal or sensitive personal information from EU citizens (data processors)
  • 44. Data controllers are responsible for: Conducting Data Privacy Impact Assessments (DPIAs) Getting appropriate consent before collecting data Respecting the 8 rights of users Implementing Privacy by Design
  • 45. Data processors are responsible for: Keeping written records or data processing activities Having appropriate security measures in place Notifying data controllers of breaches
  • 46. Your DPO (if required) is responsible for: Educating data controllers and processors about GDPR obligations and how to fulfill them Monitoring GDPR compliance Advising upper management of changes that need to be made Helping make informed decisions regarding data security and compliance