for all personal data they process, regardless of citizenship ▸ Applies to processors outside Europe: ▸ for all personal data they process for all EU inhabitants
▸ identified or identifiable natural person (‘data subject’). ▸ An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
‣ Purpose limitation ‣ Data minimisation ‣ Accurate and up-to-date processing ‣ Limitation of storage ‣ Confidential and secure ‣ Accountability and liability
▸ Vital interests (forget this one …) ▸ Public task (forget this one …) ▸ Legitimate Interests (intra-group transfers, IT security, fraud prevention, marketing …)
BE HONOURED … UNLESS YOU CAN’T ▸ Other obligation that has priority: ▸ Contract ▸ Legal obligation ▸ Vital interests ▸ Public task ▸ Legitimate Interests (but be careful)
(even a tiny one) ▸ Core activities require regular and systematic processing at large scale ▸ Core activities involve processing on a large scale of “sensitive data”
▸ Genetics ▸ Biometrics ▸ Sexual preferences, orientation or data about sex life ▸ Political, religious, philosophical beliefs ▸ Trade Union membership ▸ Criminal records
about the data your organisation processes and map them ▸ Requirement: “Register” of processing activities (eg gdpr-butler.eu) ▸ Why / Whose / What / When / Where 2. Think about security and privacy of your systems: ‣ Adequate security (encryption, access control, …) ‣ “Privacy by design”: eg. dev-DB contains no real data ‣ “Privacy by default”. Default settings ‣ ISO 27001 could be a guidance but is not even mentioned in the GDPR
transparant and honest ‣ Privacy policy ‣ Mandatory: log Data breaches (gdpr-butler.eu) ‣ Have emergency plan in case of a breach ‣ Have a procedure to handle SARs (Subject Access Requests) 4. Third parties that proces your data? Contract needed (see next slide) 5. Open drawing app, design and print a nice GDPR Certified logo, frame it, hang it in your office and demand a pay raise!
‣ Controller: the entity who “controls” (owns) the data ‣ Processor: party who “processes” data for a controller ‣ Sub-Processor: processor of a processor
CONTRACTS ‣ Needs to be a contract between controller and processor ‣ Most of it can be added to general T&C ‣ Important: shared liability, can not be shifted either way! ‣ Processor can use sub-processors, but must name them ‣ “It depends”: general description is enough in some cases ‣ In theory, controller can object to new sub-processor…
IS PROCESSING? “operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
IS PROCESSING? ‣ Hosting? Yes ‣ Backup services? Yes (unless client encrypts it before they hand it to you) ‣ Having R-O access to an analytics account and use that data to optimise site? Yes ‣ Having a root shell on the storage server of your customer? Yes ‣ Having access to the customer’s VPN router? Yes ➡ My advise. If in doubt, consider it is processing!
‣ You can only use EEA (EU + Iceland + Norway + Lichtenstein) processors or subprocessors, unless: ‣ List of countries offering “equal protection” ‣ USA if Privacy Shield compliant ‣ most of Canada ‣ Switzerland, Argentina, Israel, New Zealand ‣ “Standard clauses”: model contract drafted by EU ‣ Binding Corporate Rules: international group of companies
need to be noted in a register ▸ Breach likely to result in a risk to people’s rights and freedoms? ➡ report within 72 hours of becoming aware of the breach ▸ You won’t get fined if you have a data breach! ▸ “Tell it all, tell it fast, tell the truth”
real, your organisation is probably affected! ▸ All “GDPR Certification” programs are bullsh*t ▸ Be transparant, think about data, security ▸ Controller - Processor agreements ▸ Work in/for a larger organisation? Prepare for data-breach and SAR
franklouwers
sophiakunii
bengo4com
huffon
nssv
sadonosake
iwamot
mattstauffer
takumakouno
naohiro_nakata
hamadakoji
rainerhahnekamp
akiroom
panda_program
mza
scottboms
carmenintech
wjessup
jacobian
cassininazir
tanoku
3n
reverentgeek
orderedlist
bryan
![Q & A http://bit.ly/gdprfornerds (as of tomorrow) @FRANK_BE [email protected]](https://files.speakerdeck.com/presentations/992feddd29184c668dd939ce4a8c3529/slide_62.jpg){kind=link}