Hello and welcome back to this introduction to GDP are
in this video. We'll show where changes have been made with existing legislation
and highlight the key points for compliance.
We'll start off by looking at the changes from the data protection directive.
The key changes that Judy PR brings to personal data protection are
standardization of regulations and enforcement.
This is to help develop the internal market by easing that transfer of data within the U
and reducing compliance costs to pan. You're being companies
member States can still create additional rules in some areas, so there will still be some wrinkles in this
personal data belongs with the individual, not the organization,
and the data subjects have enhanced rights.
These include the right to be for gotten on to move the date between companies.
Data privacy is a fundamental right,
as was discussed in one of the earlier videos.
GPR applies to any organization processing personal data of you based individuals.
This expands the scope of the regulations quite considerably to include foreign companies targeting you based individuals.
The GPR makes more demands on controllers with requirements to clearly and transparently explain to data subjects what their data will be used for
and explicitly recording that consent There. Also stricter rules around processing Children's data on the need for clear and child friendly notices to explain to Children what the data we collected for
also parental consent is likely for service. Is online. Service is aimed at Children.
Finally, processing itself must be carried out in a lawful, fair and transparent manner.
GE Pihl defined several patters of data which enjoy increased regulation of protections,
including racial, political, religious, health and genetic data. On these carry stringent penalties for misuse
by default, these categories of data cannot be processed,
so be sure of your legal basis for processing before starting
the right to AirAsia. Why the right of access to information on the right? Eric Strict processing for data subjects.
This follows on from the early point that personal data belongs to the individual, not to the lot of the organization.
So to manage, this organization's might will need to keep meta data so that they know what data they've held and had deleted
sit down immunization.
It's an important consideration for being able to achieve safe preaches. It entails splitting the data that can identify an individual from the other data the organization's hold on them.
Thes sets of data need to be kept separately and preferably encrypted, which is another recommendation of GDP are so that if the data is stolen, it is essentially useless on def is essentially useless. If you have a breach, you don't need to notify the to advise your authority or the data subjects
security by designer body fault.
These were important concepts. I mean that security can no longer be treated as an adult security person. Abby at the forefront of processes involving personal data and security decisions and need to be documented for compliance.
The security concerns all rights of the data subjects need to be adequately addressed before processing could be started.
Records of processing
AII the types of personal data being processed
on the purposes for which they're being processed.
The Data Protection officer. This is a specified roll with defined responsibilities within the regulations on reporting to the highest level of management. Usually, the board
the rolls have primarily involved in ensuring compliance with the GDP are within the organization
On is the main point of contact between the Organization of the Supervisory Authority,
data protection impact assessments or privacy impact assessments, as they used to be known.
You must carry out a data protection impact assessment on any higher it's processing. Four is commenced.
Personal data breach notification. There were new rules around this breaches that involves risk of harm to data. Subjects must be notified without onto delay on within 72 hours.
That's 72 hours in which to notify the supervisor authority of the initial bridge. Further information can be sent along in the days and weeks that follow, and also the supervisor authority themselves may want you to provide them with additional information.
Data subjects have a right to complain about unfair processing to their supervisory authority. Will progress the complaint with the controller's supervisor authority,
administrative fines and now 10 million euros, or 2% of global revenues on up to 20 million euros, off 4% of global revenues, whichever is higher. For more severe breaches involving special characters, data consent or the severity of the break
accountability, the controller must be able to show compliance at all times.
So, as I said, the organizations are now required to be able to demonstrate compliance at all times. This involves documenting their actions as well as being compliant in their processes,
so they need to establish the lawfulness of processing.
This will be typically through express consent of data subjects, a contract, a legal requirement or a relationship where processing is expected.
Consent must be recorded on mechanisms for withdrawing. Consent must be in place if needed.
Specific consent from data subjects for processing special categories of data
Mechanisms for withdrawing consent must be in place if needed.
Security bodies on a body fault
or processes must start with due consideration of protecting data subjects from harm on making adequate mitigation of the risks.
Remember, information security is primarily a risk management exercise.
Perform data protection bites, assessments or data privacy in facts Assessments.
This must be performed any higher is processing before it is commenced. This is the risk on individual rights and freedoms rather than the risks faced by the organization.
Pseudo normalization, as I mentioned before, means the processing of personal data such that it can no longer be attributed to the data subject without additional information,
provided that such additional information is kept separately protected with suitable technical organizational measures to prevent attribution to the individual
encryption problem implemented should allow for a safe breach. Either data is unintelligible
and a safe breach will mean that you don't have to notify the breach. Do us who provides your authority or to the data subjects
appropriate security and privacy policies? This may time of the organizations I s a mess.
Their information security management system, such as I said 27,000 won.
Allow data subjects to view amend, move on, delete their personal data.
As I mentioned before, personal data belongs to the individual rather than to the organization.
So it's likely that organizations will be required to provide some form of data portal so that the data subjects in access their data
data portability will also be required.
Data portability will also require that data is held in industry standard formats,
as is already the case say, with mobile phone data,
keep records of processing activities. I either types of data being processed in the purposes for which they're being processed,
appointed data protection officer.
This could be voluntary or mandatory. If the organization is a public authority or body,
the controller or process of that process is personal data on a large scale
or if the organization processes special categories of data on a large scale,
able to detect and notify personal data breaches without undue delay.
Where bridges pose of rest a day. Two subjects. This is typically within 72 hours. He must also keep an internal breach, register
a body by industry standards, best practices and code of conduct.
Obtaining certification of compliance as they become available.
Management of processes
GDP are imposes. A high duty of care or control is and select in their personal data processes.
Contracts must be carefully drafted to limit processing on the length of time that the personal data will be held on Imposes obligations on the process. Sir, such as assistance with a notification of breaches
and ensure that these are applied on any sub processes.
Legitimate transfers, a personal data to third countries or within in the international organizations
by default. Transfers of personal data to third countries are unlawful, so the onus is on. The controllers have clearly documented the reasons why the transfers a lawful and so have the technical and organisational processes in place
to protect the rights and freedoms of the data subject.
Well in this first set of videos I've tried to cover the main areas of GDP are on in particular to look at new things that appeared in the regulations.
It's important. Remember, this is new legislation on that tested in practice
only does he have that supervisor. Authorities and courts interpret the law.
And there's also the work of the Article 29 Working Party, which works the right guidance in clarity on specific aspects of data protection.
Anyway, thank you very much watching these videos, and I hope they've been informative and helpful to you