1 / 47

GDPR for dummies

Agreed in 2016, the motive of the General Data Protection Regulation (GDPR) is to better protect the personal data of European Union “data subjects” – EU citizens and other nationals physically present in the EU at the time data are collected. Visit: https://www.hipaajournal.com/gdpr-training/

gdprcompliance
Download Presentation

GDPR for dummies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GDPR Everything you need to know FOR DUMMIES

  2. 1. What is GDPR?

  3. What is the purpose? Who is concerned? ⇒ Better protect the personal data of European Union “data subjects” – EU citizens and other nationals physically present in the EU. Any business or organization that offers services to EU data subjects, or that collects, processes or stores the data of EU data subjects

  4. General Data Protection Regulation “GDPR” The timeline ● 2016: GDPR agreed 2016 - 2018: Preparation ● ● 25thMay 2018: GDPR came into effect.

  5. 2. What is Personal Data under GDPR?

  6. What is personal data ? Piece of Piece of Vestibulum congue tempus information that contains an “identifier” Vestibulum congue tempus information that pertains to a person Vestibulum congue tempus Personal data Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor. Ipsum dolor sit amet elit, sed do eiusmod tempor.

  7. GDPR personal data can be: ▸ Names ▸ Date of birth ▸ Telephone numbers ▸ Addresses ▸ Bank details ▸ Opinions ▸ Passport numbers ▸ Location data ▸ Audio/visual recordings of the individuals So-called “anonymous” data does not need protection by data security laws

  8. Most data protection laws consider maintaining data longer than necessary a breach of privacy Those storing data must carefully consider how to safely dispose of it once it has served the purpose it was collected for.

  9. 3. Sensitive data

  10. What is sensitive data? Examples ➢ Race or ethnicity ➢ Religious or spiritual beliefs ➢ Political or philosophical leanings ➢ Trade union alliances ➢ Biological/genetic data ➢ Medical data ➢ Sexuality/gender identity ➢ Particular pieces of information that make individuals especially vulnerable. ➢ Requires greater levels of protection ➢ Requires extra levels of checks and justification

  11. 4. Who’s involved in GDPR policy ?

  12. Vestibulum congue “The controller” GDPR Vestibulum congue “The processors” Vestibulum congue “Data subjects”

  13. Government agency or organization (public or private) that initiates the collection and processing of personal data. Vestibulum congue “The controller” They are also the ones who use it and, if necessary, share it.

  14. Usually IT companies or third-party marketing companies. “Data processor” can also relate to any software used to process data. Vestibulum congue “The controller” “The processors” In many circumstances, the same organization can be both a data controller and a data processor.

  15. People whose personal information is being used and processed by the controllers and processors. These individuals retain the right to access, correct or request the removal of information collected about them. Vestibulum congue “The controller” “The processors” “Data subjects” GDPR also gives the data subject the right to portability

  16. 5. What is GDPR Data Processing?

  17. Exceptions to GDPR Member states may apply for specific exemptions If an individual poses a threat to the rights and freedoms of others, their data is often no longer protected under GDPR

  18. Examples of when personal data may no longer be treated ● Defense concerns ● Crime prevention ● Financial security ● Prosecution of a crime ● Suspected tax evasion ● Public health concerns ● Freedom of information

  19. 6. Where will the GDPR Apply?

  20. GDPR Data must be protected in line with EU standards for all its citizens, regardless of where the data itself is.

  21. 7. What about BREXIT and GDPR?

  22. It is very likely that the UK’s new Data Protection Laws will take the same shape as GDPR. This is, in part, to facilitate the fact that many UK organizations will work with the data of EU data subjects.

  23. 8. GDPR in the United States

  24. The EU-US Privacy Shield Framework Adopted in 2016 Allows private data to be transferred outside of the EU if the recipient organization is certified by the US Department of Commerce or the EU Supervisory Authority. US organizations must certify they have “adequate safeguards” to protect data and must conduct an annual review to self-certify that they are compliant.

  25. 9. “GDPR right to be forgotten” and “GDPR right to be informed”

  26. “right to be forgotten” “right to be informed” Those who hold an individual’s personal data must delete it upon request if: Data subjects must receive information from the controller about: What information is collected What and how it’s stored How it’s being used Any change whilst the data is still in the controller’s possession ● ● ● ● The data has lost its relevance The subject withdraws consent The subject objects to the processing of the data The data was unlawfully processed ● ● ● ●

  27. 10. What are the GDPR Penalties for Non-Compliance?

  28. As part of the original Directive on privacy, each member state can establish its own regime for penalties. Maximum penalty : £500,000 Maximum penalty : €150,000 GDPR will standardise the penalty scheme. Now, the maximum penalty will be €20 million, or 4% of a company’s annual net worth.

  29. 11. What are the GDPR Privacy Principles?

  30. Clear information how the data is being used 01 Notification Consent or clear legal basis needed for sharing data 02 Lawfulness Personal data only be disclosed when necessary 03 Limits Reasonable measures are employed to protect the data. 04 Security The controller and the processors must comply with GDPR 05 Accountability Downstream Protection Any party with which the information was shared must adhere to privacy legislation. 06 The individual has the right to access and use his personal data 07 Access and Rights 08 Individual must be warned of the breach notification within 72 hours. Breach Notification

  31. 12. What are Some Best Practices to Ensure Data Remains Protected?

  32. 1 Clear desk policy Before any employee leaves his or her workstation: ▸ No materials describing private data are left on the desk ▸ Computers should be locked or logged off ▸ Any other electronic devices should be stored away or taken with the individual

  33. 2 Password security Passwords: It is imperative no passwords are written down, and if they are, they should be kept well away from the computer that they unlock ▸ Should be long ▸ Should containing a mix of lower- and upper-case letters, numbers and special characters ▸ Should not be words

  34. 3 Practice secure storage ▸ Any material that contains a person’s personal private information must be stored in a secure manner. ▸ If it is maintained digitally, it must be adequately encrypted.

  35. Ensure that mobile devices are secure 4 The Bring Your Own Device (BYOD) policies increase the risk of information theft. Devices should be adequately secured and, of course, be password-protected.

  36. 5 Ensure secure transmission of data ▸ Private information should not be sent via insecure, free email services or via fax. ▸ Senders of information should double- check to see if recipients are authorised to receive the information.

  37. 6 Secure workplaces from unauthorized personnel ▸ Work stations should be set up to prevent unauthorized visitors from seeing computer monitors ▸ Ensure that any files open on a desk are not readable by unauthorized passer-by’s.

  38. 7 Secure disposal of data ▸ Ensure that all protected data has been properly removed from DVDs, USB drives, mobile devices before disposal ▸ Hard copies of such data must be finely shredded

  39. 8 Reporting breaches ▸ The breach notification must be done within 72 hours ▸ The organization must report the breach to the EU Regulator ▸ Reports should be made if there has been a suspected, but unconfirmed, breach of data.

  40. 13. How to be GDPR-Compliant

  41. How to be GDPR-Compliant in 7 steps Step 2 Step 3 Step 1 Step 4 Step 5 Step 6 Step 7 Ensure third parties also adhere to GDPR Ensure the rights of the data subject are met Ensure to account for all possible risks Ensure privacy is a top priority for the organization Ensure accountability within the organization Ensure that data is properly processed Ensure there are procedures for dealing with data breaches in place.

  42. 14. GDPR Guide for Dummies: Conclusion

  43. GDPR states How data should be obtained How data should be processed How data should be stored

  44. Businesses and organizations operating outside the European Economic Area (EEA) Data subject to GDPR can only be shared with businesses and organizations in non- EU countries that have an adequacy agreement in place.

  45. GDPR Compliant Compliance of operations Compliance of third parties

  46. It is recommended businesses conduct a compliance audit and discuss their current level of data security with a GDPR Compliance Consultant.

  47. GDPR FOR You now know everything! DUMMIES Find more information about GDPR here: https://www.hipaaguide.net/gdpr-for-dummies/

More Related