GDPR

General Data Protection Regulation

Justin Mifsud
Disclaimer

Our Agency Values

I am not a lawyer, or data

protection expert and I am only
sharing my interpretation of
information I have gathered for this
lecture.

What will be presented here does

not constitute as legal advice.
Agenda

1. What is GDPR? General

2. The 8 Rights for Individuals Data
3. The 6 Data Protection Principles Protection
4. Implementing & Operating GDPR
Regulation
1. What is GDPR?

OVERVIEW

SCOPE

DEFINITIONS
1.1 Definition of GDPR

Our Agency Values

The General Data Protection

Regulation (GDPR) is a regulation in
EU law on data protection and
privacy in the European Union and
the European Economic Area. It also
addresses the transfer of personal
data outside the EU and EEA areas.

Wikipedia
1.2 Directives vs. Regulations
•Individual implementation in each
Our Agency Values member state

•Implemented by creation of national

laws
Directive
•Approved by the parliaments of
each member state

•UK Data Protection Act 1998

•Immediately applicable in each

member state

Regulation •Requires no local implementing

legislation

•GDPR is a regulation
1.3 GDPR Overview

Our Agency Values

A set of unified rules for all EU countries

Valid since 25th May, 2018

Protect personal data and strengthen

privacy rights of EU individuals

Give users control over their data

1.4 Scope of GDPR
All businesses collecting or holding personal data on EU citizens
Our Agency Values
Irrespective of where they are located!
1.5 Personal Data

“Any information relating to an “Processing of personal data

identified or identifiable natural revealing racial or ethnic origin,
person (‘data subject’) who can be political opinions, religious or
identified directly or indirectly, in philosophical beliefs or trade
particular by reference to an union membership and the
identifier such as a name, an processing of genetic data,
identification number, location data, biometric data for the purpose of
an online identifier or to one or more uniquely identifying a natural
factors specific to the physical, person, data concerning health
physiological, genetic, mental, or data concerning a natural
economic, cultural or social identity person’s sex life or sexual
of that natural person” orientation shall be prohibited.”
Article 4(1) of the GDPR Article 9(1) of the GDPR
1.6 Personal & Sensitive Data

Our Agency Values

Personal Data
Name, Address, Phone, Credit
Cards, Email Address, IP Address,
Cookies & Online Identifiers Does not just include
information that a person
explicitly supplies but also
implicit information, such as
browsing history
Sensitive Data
Biometric Data, Genetic Data,
Health Data
1.7 Personal Data Breach

Our Agency Values

A personal data breach means “a

breach of security leading to the
accidental or unlawful destruction,
loss, alteration, unauthorised.
disclosure of, or access to, personal
data transmitted, stored or otherwise
processed”

GDPR - Article 4(12)

1.8 GDPR Penalties

Depending on the nature of the infraction …

• A written warning

• A fine of up to €10M or 2% of annual

worldwide turnover from the previous year
(whichever is highest)

• A fine of up to €20M or 4% of annual

worldwide turnover from the previous year
(whichever is highest)
1.9 GDPR Penalties So Far

• Highest fine so far: €50M fine given to Google Inc. for insufficient legal basis for data
processing. Fine given in France on 21st January 2019.

• Lowest fine so far: €28 fine given to Google Ireland for insufficient fulfilment of data
subject rights. Fine given in Hungary on 16th July 2020.

• Over 220 fines have been handed out for GDPR violations in between January and
October 2020 alone.

• Only 20% of US, UK and EU companies are fully GDPR compliant.

Source: Enforcement Tracker and Tessian.com

1.10 Who is Who?

Our Agency Values

• Data Subject: An individual, a resident of the EU, whose personal data is to be
protected.

• Data Controller: An institution, business or a person that collects personal data from
EU residents.

• Data Protection Officer (DPO): An expert in Data Protection Law, appointed by the
Data Controller and responsible for overseeing data protection practices.

• Data Processor: A subject (company, institution) processing data on behalf of the

controller e.g. cloud service provider, SaaS solution.

• Data Authority: A public institution monitoring the implementation of the regulations

in the specific EU member country
1.11 Obligations

Our Agency Values

Data Processor Data Controller

• Responsible for processing personal data • Determines the purposes and means
on behalf of the data controller. of processing personal data

• Must notify the data controller without • Appointing DPO and monitoring data
undue delay after becoming aware of a processors
personal data breach.
• Must notify the supervisory authority if
there is a personal data breach, not
later than 72 hours. If this notification is
not made within 72 hours, then a
written reason must be provided.

Article 33(2) of the GDPR Article 33(1) of the GDPR

 2. The Rights For Individuals

RIGHT TO BE INFORMED RIGHT TO RESTRICT PROCESSING

RIGHT OF ACCESS RIGHT TO DATA PORTABILITY

RIGHT TO RECTIFICATION RIGHT TO OBJECT

RIGHTS IN RELATION TO AUTOMATED

RIGHT TO ERASURE DECISION MAKING & PROFILING
2.1 GDPR Rights

Our Agency Values

The right to
be informed

Under GDPR, the data Rights in

relation to

subject has 8 rights

automated The right of
decision access
making and
profiling

GDPR – Articles 12 - 23

The right to GDPR The right to

object
Rights rectification

The right to
The right to
data
erasure
portability

The right to
restrict
processing
2.2 The Right To Be Informed

Our Agency Values

Any processing of personal data Any information or

should be lawful, fair, and communication related to the
transparent. It should be clear and processing of personal data
transparent to individuals that you should be easily accessible,
are collecting, using or otherwise concise, and easy to understand
processing their personal data, and and that clear and plain
what you will do with it. language is used. Where
appropriate, visualisation should
be used.

Article 13 and 14 of the GDPR Dataprotection.ie

2.3 The Right Of Access

Our Agency Values

Individuals have the right to request a The data subject is entitled to

copy of any of their personal data know the following:
which is being ‘processed’ (i.e. used
in any way), as well as other relevant • The purpose of the processing.
information. These requests are often • The categories of personal
referred to as ‘data subject access data concerned.
requests’, or ‘access requests’. • The period for which the
personal data will be stored.
• The source from where they
obtained this data (if it was not
given to them by the data
subject).
Article 15 of the GDPR – Dataprotection.ie
2.4 The Right To Rectification

Our Agency Values

The data subject shall have the right The data subject is entitled to
to obtain from the controller without have their personal data:
undue delay the rectification of
inaccurate personal data concerning • Rectified (corrected)
him or her. Taking into account the
purposes of the processing, the data • Completed (including by
subject shall have the right to have providing missing information)
incomplete personal data
completed, including by means of Without any delays from the data
providing a supplementary processor
statement.

Article 16 of the GDPR – Dataprotection.ie

2.5 The Right To Erasure

Our Agency Values

The data subject shall have the right • Withdrawal of consent

to obtain from the controller the
erasure of personal data concerning • Objection to how the personal
him or her without undue delay and data is being processed
the controller shall have the
obligation to erase personal data • Personal data is no longer
without undue delay where one of necessary in relation to the
the following grounds applies: purpose for which it has been
collected or has been
unlawfully processed or needs
to be erased for compliance
purposes
Article 17 of the GDPR
2.6 The Right To Restrict Processing

Our Agency Values

Data subjects have the right to • Accuracy of the personal data is

restrict the processing of their contested by the data subject, so
personal data in certain the controller needs time to verify
• The processing is unlawful and the
circumstances. This means that an
data subject requests restriction
individual can limit the way that an
instead of erasure.
organisation uses their data. This is an • The controller no longer needs the
alternative to requesting the erasure personal data but is required by
of their data. the data subject to retain it for
legal purposes
• Data subject has objected to
processing and thus the controller
requires time to verify legal
grounds for this processing.
Article 18 of the GDPR – ICO.org.uk
2.7 The Right To Data Portability

Our Agency Values

The right to data portability allows Applies to:

individuals to obtain and reuse their
personal data for their own purposes • Personal data that an individual
has provided to a data controller;
across different services.
• When the processing is carried out
It allows them to move, copy or by automated means e.g.
transfer personal data easily from browsing history.
one IT environment to another in a
safe and secure way, without • Where the processing is based on
affecting its usability. the individual’s consent or for the
performance or a contract.

Article 20 of the GDPR – ICO.org.uk & ITGovernance.eu

2.8 The Right To Object

Our Agency Values

The GDPR gives individuals the right Individuals have an absolute right to
to object to the processing of their stop their data being used for direct
personal data at any time. marketing.

In other cases where the right to

This effectively allows individuals to
object applies you may be able to
stop or prevent you from processing continue processing if you can show
their personal data. that you have a compelling reason
for doing so.

Article 21 of the GDPR – ICO.org.uk & ITGovernance.eu

2.9 Auto Decision Making & Profiling

Our Agency Values

The data subject shall have the right The GDPR has provisions on:
not to be subject to a decision based
solely on automated processing, • Automated individual decision-
making (making a decision solely
including profiling, which produces
by automated means without any
legal effects concerning him or her or
human involvement);
similarly affects him or her
• Profiling (automated processing of
personal data to evaluate certain
things about an individual).
Profiling can be part of an
automated decision-making
process.

Article 22 of the GDPR – ICO.org.uk & ITGovernance.eu

3. The Principles of GDPR
LAWFULNESS, FAIRNESS, TRANSPARENCY

SPECIFIED, EXPLICIT, LEGITIMATE PURPOSE

ADEQUATE, RELEVANT AND LIMITED

ACCURATE & UP-TO-DATE

PSEUDONYMIZATION & STORAGE LIMITS

SECURITY
3.1 GDPR Principles

Our Agency Values

Processed
lawfully, fairly
and in a
GDPR has 6 principles - transparent
manner

all stated in Article 5.

Processed in a Collected for
manner that specified,
ensures explicit and
Personal Data shall be: appropriate
security
legitimate
purposes

GDPR – Article 5 GDPR

Principles

Kept in a form
which permits Adequate,
identification of relevant and
data subjects for limited to what is
no longer than necessary
necessary

Accurate and
kept up to date
3.2 GDPR Principles

1. Personal data shall be processed lawfully,

fairly and in a transparent manner in relation
to a data subject – people want to know
what you are doing with their data!

2. Personal data must be collected for

specified, explicit and legitimate purposes
and not further processed in a manner that is
incompatible with those purposes – no more
spam!
3.3 GDPR Principles

3. Personal data shall be adequate, relevant

and limited to what is necessary in relation to
the purposes for which the data is processed
– you cannot collect personal data for one
purpose and use it somewhere else!

4. Personal data shall be accurate, and,

where necessary kept up to date; every
reasonable step must be taken to ensure
that personal data that is inaccurate, having
regard to the purposes for which it is
processed, is erased or rectified without
undue delay – give your users ways to
update their data!
3.4 GDPR Principles

5. Personal data shall be kept in a form

which permits identification of data subjects
for no longer than is necessary for the
purposes for which the personal data is
processed – tell people for how long you will
keep their personal data

6. Personal data shall be processed in a

manner that ensures appropriate security of
personal data, including protection against
unauthorised processing and against
accidental loss, destruction or damage,
using appropriate technical and
organisational measures – security, security,
security!
4. Implementing & Operating GDPR

OVERVIEW

SCOPE

DEFINITIONS
4.1 GDPR Compliance

Our Agency Values

No magic bullet – There is no one

solution to achieving GDPR
compliance that applies to all
organisations and to all aspects of
GDPR.

We will discuss a generic approach

to demonstrate how a solution might
look like ….
4.2 GDPR Compliance In 3 Steps

Conduct a Gap Monitor, Audit &

Audit Your Data Analysis to Achieve Continually
Compliance Improve

Adapted from IT Governance Ltd.

4.3 Audit Your Data

Our Agency Values

• Investigate and audit all data sources that your company collects or processes,
irrespective of where it is stored (local, cloud, etc.) or how it is formatted (structured
vs. unstructured). Also identify any 3rd party processors.

• Inspect and identify what personal data each source contains

• Understand and document:

• How data moves through the company

• Why it is collected and / or processed
• How it is handled
• How it is stored
• How and when it is disposed
4.4 Audit Your Data

Our Agency Values

Source: @Ideea via Medium

4.5 Conduct A Gap Analysis

Our Agency Values

• Apply the 6 principles of GDPR to the personal data you have identified. Assess the
risks to rights and freedoms of data subjects associated with your collection and
processing of the personal data you have identified.

• You are probably already meeting some of the GDPR requirements (quite possibly in
an unfocused / unstructured way).

• Develop controls, policies and processes that need to be implemented in order to

achieve compliance on all the personal data that is being collected and / or
processed. This also includes going into agreements with any 3rd party processors.

• Among the processes, there should be the ones clearly documenting how requests
related to the rights of data subjects should be carried out.
4.6 Monitor, Audit & Continually Improve

Our Agency Values

• GDPR compliance is ongoing, not a

one-off task.

• You need to regularly monitor and audit

your compliance. This means
documenting your processes and
procedures, and regularly checking
them to ensure they’re still fit for
purpose, in line with the Regulation’s
accountability principle.
Any Questions?
End of Presentation