general data protection regulation (gdpr) · gpdr directly affects data subjects, controllers, and...

© 2018 Jabian, LLC | Confidential. 1

General Data Protection Regulation (GDPR)

October 2018


WHAT IS GDPR

WHY BAs SHOULD CARE ABOUT GDPR

GDPR IMPLICATIONS FOR COMPANIES

TODAY’S TOPICS


WHAT IS GDPR


YOU MAY NOT BE INTERESTED IN BIG DATA, BUT IT’S INTERESTED IN YOU

TRUISM #1


THERE’S A TRADE-OFF BETWEEN FREEPRODUCTS AND YOUR DATA

TRUISM #2


DATA AFFECTS WHAT YOU SEE, HEAR, READ, AND DO

TRUISM #3


BIG DATA VS. YOU

THE WORLD IS DEFINED BY TECHNOLOGY ASYMMETRIES


BIG DATA VS. YOU

THE WORLD IS DEFINED BY TECHNOLOGY ASYMMETRIES

GDPR


GDPR IS THE MOST COMPREHENSIVE DATA REGULATION TO DATE

THE EUROPEAN UNION’S

GENERAL DATA PROTECTION REGULATION (GDPR)

WENT INTO EFFECT ON MAY 25, 2018


PRINCIPLES THAT GUIDE GDPR

“The protection of natural persons in relation to the processing of personal data is a fundamental right.” (1)

PROTECTION OF PERSONAL DATA IS A RIGHT

“[GDPR] …seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.” (3)

CONSUMER DATA SHOULD BE TREATED AND HANDLED IN A STANDARDIZED WAY

“The processing of personal data should be designed to serve mankind.” (4)

“[T]he controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” (78)

PRIVACY BY DESIGN, PROTECTION BY DEFAULT

“[T]o ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators…” (13)

DATA PROCESSING SHOULD BE TRANSPARENT

GDPR PRINCIPLES


GDPR MADE MAJOR REVISIONS TO EXISTING EUROPEAN REGULATIONS

MAJOR ASPECTS OF GDPR INCLUDE…

• Increased territory of scope – intended to expand beyond the EU Ch 1, Art 3(1) & (2)

• Stiffer penalties – establishes steep fines for violations Ch 8, Art 83 & 84

• Explicit consent – companies must obtain consent from consumers Ch 2, Art 7

• Data protection officers – companies must appoint DPOs, who are responsible for compliance Ch 4, Art 38

• Data subject rights – provides consumers control of their data Ch 3

• Breach notifications – companies must notify authorities within 72 hrs. and consumers “without undue delay” Ch 4, Art 33(1) & (2)


GPDR DIRECTLY AFFECTS DATA SUBJECTS, CONTROLLERS, AND PROCESSORS

GDPR DIRECTLY AFFECTS…

• Data subjects – citizens of a country that is part of the EU Ch 1, Art 4(1)

• Controllers

o Companies that collect, store, analyze, and transfer data from EU data subjects Ch 1, Art 3(2) & Art 4(2)

o Companies that are “established” in the EU Ch 1, Art 3(1) & (2)

o Companies that market or advertise to EU consumers Ch 1, Art 3(2)a

• Processors – third-party companies that controllers transfer data to or share access with Ch 1, Art 4(8)


GDPR GRANTS CONSUMERS THE FOLLOWING RIGHTS

… know how their data is being used. This right often occurs at the time of consent, and the details for how consumer data is obtained, stored, analyzed, and transferred is typically relayed through a privacy policy near a call-to-action and in plain language. Ch 3, Art 12, 13 & 14

RIGHT TO BE INFORMED

… object to the way a company uses their data or contest data processing practices. GDPR provides guidance on certain objection that require “compelling legitimate grounds,” which legal counsel may be required to help business leaders navigate. Ch 3, Art 21

RIGHT TO OBJECT

… view their data. GDPR provides provisions for what data a company should disclose. The provisions apply to any data that can be associated with a specific consumer. Companies aren’t required to disclose data that is proprietary or essential to its business model. Ch 3, Art 15

RIGHT TO ACCESS

… correct incorrect or incomplete data. Often this is actioned through consumer-facing pages with self-editing functionality. Ch 3, Art 16

RIGHT TO RECTIFY

DATA SUBJECTS HAVE THE RIGHT TO…


GDPR GRANTS CONSUMERS THE FOLLOWING RIGHTS

… download their data. This allows consumers the option to take their data and use it with a different product or service. Ch 3, Art 20

RIGHT TO PORT

… restrict how data is used by the company. This right is difficult to put into action and may require discussions with a legal counselor prior to developing functionality. It may also coincide with objections, rectifications, and erasures. (67); Ch 3, Art 4(3) & Art 23

RIGHT TO RESTRICT

… delete their data, formerly known as the “Right to be Forgotten.” Because companies store and back-up consumer data in multiple locations, the timing and type of deletion can be challenging for business leaders to work through. Ch 3, Art 17

RIGHT TO ERASE

… know whether a company uses their data for automated decision-making, profiling, and how to request human intervention. Ch 3, Art 22

RIGHTS RELATING TO AUTOMATED DECISION-MAKING & PROFILING

DATA SUBJECTS HAVE THE RIGHT TO…


How and when will consumer validation occur? Does double authentication occur?

GDPR COMPLIANCE SAMPLE QUESTIONS

Do the user agreement, data policy, terms of sale, terms of agreement, or terms of use need to be updated?

RIGHT TO BE INFORMED

How and where will the consumer be informed? What is the update mechanism?

Do 3rd party companies need to display the same disclosures?

How will consent be obtained and documented?

Are consumers default opted-in to any policies?

What is the level of difficulty for the consumer to opt-out?

How will data linked with minors be treated?

How does the legal team define “compelling legitimate grounds”?

RIGHT TO OBJECT

How will communications be documented and retained?

Will data restrictions occur with objections?

What is the SLA for objections?

How will the company treat objections that it will not honor?

What information will the consumer have access to? Through what mechanism?

RIGHT TO ACCESS

What is the SLA for granting access to consumers?

Do consumers require account creation to access their data?

What data is considered PII?

How will data linked with minors be accessed? By whom?

Does any gating occur?

Are edits logged or archived?

What information will the consumer be ale to edit? Through what mechanism?

RIGHT TO RECTIFY

What is the timing of edits/

Do consumers require account creation to edit their data?

Do consumers require account creation to edit their data?

Will data restrictions occur with rectifications?


RIGHTS RELATING TO AUTOMATED DECISION –MAKING & PROFILING

What type of processing occurs, nominal or machine learning?

Will an erasure occur within all systems and databases? What about 3rd party data?

GDPR COMPLIANCE SAMPLE QUESTIONS

In what format can the consumer download her data? What data?

RIGHT TO PORT

What is the SLA of the download?

Will downloads be actioned with the right to access?

In what instances will restrictions be placed? Lifted?

RIGHT TO RESTRICT

What is the SLA of restrictions?

How does the legal team define “restrictions” and “processing” of data?

From what systems or processes will consumer data be restricted?

What data is subject to restrictions?

What data will be erased and what needs to be retained?

RIGHT TO ERASE

Is erasure a hard delete, soft delete, or just a flag?

What is the SLA of the erasure?

Do erasures require legal approval?

Do data retention policies need to be updated?

Do 3rd parties process consumer data and return it?

What is the result of the processing?

What are the data policies for the SAAS systems used? Which agent is responsible for informing consumers about their practices?

Will consumers have to object to request removal from automated processing to obtain human intervention?

Does profiling occur? If so, in what instances and what is the outcome?

How will subscriptions be handled?


GDPR COMPLIANCE STARTS WITH INFORMED & EXPLICIT CONSENT FROM DAT A SUBJECTS

“…freely given, specific, informed and unambiguous indication of the data subject’s wishes” Ch 1, Art 4(11)

EXP

LIC

IT C

ON

SEN

T

OBTAIN DATA

ANALYZE DATA

TRANSFER DATA

NOMINAL

AUTOMATED

Ch 3, Art 7

STORE DATA


WHY BAs SHOULD CARE ABOUT GDPR


GDPR COMPLIANCE STARTS WITH INFORMED & EXPLICIT CONSENT FROM DAT A SUBJECTS

“…freely given, specific, informed and unambiguous indication of the data subject’s wishes” Ch 1, Art 4(11)

EXP

LIC

IT C

ON

SEN

T

OBTAIN DATA

ANALYZE DATA

TRANSFER DATA

NOMINAL

AUTOMATED

Ch 3, Art 7

STORE DATA


GDPR IS A CONCERN FOR CORPORATIONS

“…the European Union on Friday enacts the world’s toughest rules to protect people’s online data. And with the internet’s borderless nature, the regulations are set to have an outsize impact far beyond Europe.”

G.D.P.R., a New Privacy Law, Makes Europe World’s Leading Tech WatchdogMay 24, 2018

“…GDPR requires that all customer data be portable, meaning that organizations must be capable of honoring their customers’ requests to delete their personal information or transfer it to another system if they choose another supplier, including an audit trail to confirm that the data was handled properly. When you investigate the regulation in depth, there are many new data management requirements.”

A Nine-Point Checklist For Successful Compliance With GDPRJuly 6, 2018

“GDPR is designed to give EU consumers control over how companies can collect and use their personal data. Since information online is borderless, the new law affects every company that has any contact with users in the EU, anywhere up or down a company’s data supply chain.”

What it’s like to use the web in Europe after the arrival of GDPRMay 25, 2018


WHAT GDPR MAY MEAN TO YOU


GDPR IS A CONCERN FOR CORPORATIONS

Rep. Gene Green (D-TX): “In recent days you’ve said that Facebook intends to make the same settings [GDPR] available to users everywhere, not only in Europe. Did I understand correctly that Facebook would not only make the same settings available, but that it will make the same protections available that they will make the Europeans?”

Mark Zuckerberg (CEO Facebook): “Yes, Congressman. All the same controls will be available around the world.”


CONSENT EXAMPLE

CTRL + CLICKTO FOLLOW LINK

https://www.facebook.com/business/gdpr

https://www.facebook.com/business/gdpr


Waldo

RIGHT TO ACCESS

RIGHT TO PORT

RIGHT TO ERASE

RIGHT TO RECTIFY


Review period

Database ADatabase A

Database ADatabase B

Database ADatabase X

…

Automated scripts

1. Waldo submits a “delete” request to erase his account & info

2. Erasure request auto-triggers a review period

NOTIONAL GDPR “ERASURE” REQUEST

3. Automated scripts sent with “erasure” commands

4. Country- and consumer-pertinent laws and polices guide erasure scripts

5. Erasure occurs by database, data table & data field for Waldo’s personal information


COMPANIES WOULD NEED SOLUTIONS FOR EACH GDPR “RIGHT”

PORT ERASE OBJECTRECTIFY RESTRICTACCESS


GDPR SPECIFIES CERTAIN FUNCTIONALITY

ACCESS RESTRICT

PORT ERASE OBJECTRECTIFY

PORT ERASE OBJECTRECTIFY RESTRICTACCESS

These rights are generally actioned in the following way:

Under GDPR, consumers have the following rights regarding their data:

Some companies’ “compliance” solution looks like:

ACCESS RESTRICT

PORT ERASE OBJECTRECTIFY


DATA PRIVACY IS HERE TO STAY

“Apple says the privacy policies must identify what data the app collects, in what manner, and how it is used... [and] explain data retention policies and detail how a user can revoke consent and request deletion of any personal data stored.”

New App Store rules will require all apps to have a privacy policyAugust 31, 2018

“The moves [lobbying] have seen companies from both camps, including Microsoft, Google, IBM, and Facebook, lobby the White House to begin outlining new federal rules before the Californian regulations come into force in 2020. The aim is to outline a national alternative by the end of this year.”

GDPR USA: Why tech industry now lobbying against consumer privacyAugust 29, 2018

“The new law grants consumers the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it. It gives consumers the right to tell companies to delete their information as well as to not sell or share their data.”

California Passes Sweeping Law to Protect Online PrivacyJune 28, 2018

“In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law.”

Tech Industry Pursues a Federal Privacy Law, on Its Own TermsAugust 26, 2018


GDPR IMPLICATIONSFOR COMPANIES


GENERAL COMPANY ATTITUDES TOWARD GDPR

COMMON COMPANY SENTIMENTS

• “My company is in North Carolina, so I need not care about GDPR.” Not so fast. If your company processes data from EU consumers, markets to EU consumers, or is established in the EU, then it may be subject to GDPR. Ch 1, Art 2 & 3

• “GDPR compliance costs outweigh the benefits.” Maybe. But the cost of violations can be severe. Ch 8, Art 83(5)

• “Data privacy is an ephemeral trend and will go away.” It’s possible, but a federal regulation is currently being lobbied for in the U.S. Congress.

• “We’re ‘transparent’ because we have our legal team drafted a privacy policy.” Is the policy periodically updated and written in clear and plain language? Ch 2, Art 7(2); Ch 3, Art 12, 13 & 14

• “We have no idea whether our company is compliant with GDPR.” Seek help from a trusted advisor.


GDPR COMPLIANCE IMPACTS MULTIPLE TEAMS

OUTSIDECOUNSEL

LEGAL

EXECUTIVELEADERSHIP

DATA GOVERNANCECOMMITTEE

PRODUCTMANAGEMENT

DEVOPS

ARCHITECTURE


About the presenter:Adam C. Johnson is a manager at Jabian Consulting’s Atlanta office.

https://jabian.com/

general data protection regulation (gdpr) · gpdr directly affects data subjects, controllers, and...

Documents