▸ identiﬁed or identiﬁable natural person (‘data subject’). ▸ An identiﬁable natural person is one who can be identiﬁed, directly or indirectly, in particular by reference to an identiﬁer such as a name, an identiﬁcation number, location data, an online identiﬁer or to one or more factors speciﬁc to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
about the data your organisation processes and map them ▸ Requirement: “Register” of processing activities (eg gdpr-butler.eu) ▸ Why / Whose / What / When / Where 2. Think about security and privacy of your systems: ‣ Adequate security (encryption, access control, …) ‣ “Privacy by design”: eg. dev-DB contains no real data ‣ “Privacy by default”. Default settings ‣ ISO 27001 could be a guidance but is not even mentioned in the GDPR
CONTRACTS ‣ Needs to be a contract between controller and processor ‣ Most of it can be added to general T&C ‣ Important: shared liability, can not be shifted either way! ‣ Processor can use sub-processors, but must name them ‣ “It depends”: general description is enough in some cases ‣ In theory, controller can object to new sub-processor…
IS PROCESSING? “operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
IS PROCESSING? ‣ Hosting? Yes ‣ Backup services? Yes (unless client encrypts it before they hand it to you) ‣ Having R-O access to an analytics account and use that data to optimise site? Yes ‣ Having a root shell on the storage server of your customer? Yes ‣ Having access to the customer’s VPN router? Yes ➡ My advise. If in doubt, consider it is processing!
‣ You can only use EEA (EU + Iceland + Norway + Lichtenstein) processors or subprocessors, unless: ‣ List of countries offering “equal protection” ‣ USA if Privacy Shield compliant ‣ most of Canada ‣ Switzerland, Argentina, Israel, New Zealand ‣ “Standard clauses”: model contract drafted by EU ‣ Binding Corporate Rules: international group of companies
need to be noted in a register ▸ Breach likely to result in a risk to people’s rights and freedoms? ➡ report within 72 hours of becoming aware of the breach ▸ You won’t get ﬁned if you have a data breach! ▸ “Tell it all, tell it fast, tell the truth”
real, your organisation is probably affected! ▸ All “GDPR Certiﬁcation” programs are bullsh*t ▸ Be transparant, think about data, security ▸ Controller - Processor agreements ▸ Work in/for a larger organisation? Prepare for data-breach and SAR