Tweet
Tweet

Slide 1

Slide 1 text

! GDPR ! Li# the fog - explain what’s new - what do you need for your blog?

Slide 2

Slide 2 text

Disclaimer • I am not a lawyer, this is not legal advice • I have talked to some, listened to some • If you are a company and haven’t updated your data protecAon policies, try to get a data protecAon lawyer or specialist right now! They’re very scarce right now • What I’m gonna tell you is what I did for my side project, your mileage may vary

Slide 3

Slide 3 text

GDPR? why is everybody talking about it? why should I care? why do I get so many mails men

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Are you processing PII? personally iden-fiable informa-on

Slide 6

Slide 6 text

What is PII?

Slide 7

Slide 7 text

Peronally Iden<fiable Informa

Slide 8

Slide 8 text

Is any of this PII?

Slide 9

Slide 9 text

It’s best to be a bit overeager and treat everything relatable to a person as PII.

Slide 10

Slide 10 text

What is processing?

Slide 11

Slide 11 text

„Processing“ • CollecAng • Storing • DistribuAng • ConnecAng Everything is processing also M ANUAL!

Slide 12

Slide 12 text

EXEMPTION If you only process data privately, then GDPR does not bother you („household exempGon“) You do something online? It’s not private!

Slide 13

Slide 13 text

General Rule: Everything is forbidden, unless it is allowed

Slide 14

Slide 14 text

When is it allowed to process PII? This is where we go into the law… Ar1cle 6, No. 1 a-f GDPR

Slide 15

Slide 15 text

Ar

Slide 16

Slide 16 text

Ar

Slide 17

Slide 17 text

Ar

Slide 18

Slide 18 text

wait …

Slide 19

Slide 19 text

where was a?

Slide 20

Slide 20 text

Ar

Slide 21

Slide 21 text

Ar

Slide 22

Slide 22 text

Ar

Slide 23

Slide 23 text

Ar

Slide 24

Slide 24 text

Ar

Slide 25

Slide 25 text

Can I share PII with 3rd par

Slide 26

Slide 26 text

Yes, but …

Slide 27

Slide 27 text

• You have to make sure they comply with the same regulaAons • Contract Agreement („Au#ragsvereinbarung“) • You are responsible for data protecAon violaAons together with the 3rd party

Slide 28

Slide 28 text

Even to other contries?

Slide 29

Slide 29 text

Yes, but …

Slide 30

Slide 30 text

• All EU ! countries are ok • EEA countries are ok:
 &'( • Some countries are whitelisted by the EU: 
 )*+,-./0123 (4*) • Currently in Talks with:
 56

Slide 31

Slide 31 text

Your user’s rights

Slide 32

Slide 32 text

The right to access (Art. 15 & 20) • You have to provide all PII you collected from a user upon request. • You have to provide it immediately upon request (up to 1 month) • You have to make sure you are sending the data to the right person (Download in an account is be4er than sending out emails) • If you think a user is abusing his rights, you may deny his request

Slide 33

Slide 33 text

The right to correc

Slide 34

Slide 34 text

The right to be forgoWen (Art. 17) • Delete PII when the user requests so • You can decline if there are legal obligaAons to keep data (tax reasons, etc) • If possible you can anonymize data
 (i.e. blog comments - remove name & email, but keep the content if you cannot link it back to the person) • Art. 18: User can restrict what you do with data (stop processing, but keep for legal reasons)

Slide 35

Slide 35 text

Your obliga

Slide 36

Slide 36 text

„Privacy By Design“

Slide 37

Slide 37 text

Enable data portability

Slide 38

Slide 38 text

Delete upon request

Slide 39

Slide 39 text

Ensure data integrity & protec

Slide 40

Slide 40 text

Inform users when you received data from others

Slide 41

Slide 41 text

Document & Report data breaches

Slide 42

Slide 42 text

What do you need to do?

Slide 43

Slide 43 text

Have a data protec*on policy • Generators are out there: • h_ps:/ /datenschutz-generator.de • h_ps:/ /www.e-recht24.de • h_ps:/ /www.iubenda.com • List all sorts of data you process, under which legal grounds, and why you give this data to a 3rd party and why you are allowed to do so (Privacy Shield, etc).

Slide 44

Slide 44 text

Have a data protec*on policy

Slide 45

Slide 45 text

Chose 3rd party services wisely • Do not throw in any tracker and plugin just because you can • Use Browser Plugins like Ghostery to check where your site is sending data (someAmes plugins bring trackers, that you don’t know about) • Look around if there are ! alternaAves for 4 services (Privacy Shield might not hold) • MailChimp 4 → CleverReach $ • Google AnalyAcs → self-hosted Matomo (prev. Piwik)

Slide 46

Slide 46 text

Chose 3rd party services wisely • When embedding youtube videos, use the non-tracking variant • 2-Click-Social-Share bu_ons: Sharrif (h_ps:/ /github.com/heiseonline/shariff)

Slide 47

Slide 47 text

ABMAHNUNG

Slide 48

Slide 48 text

up to 4% of global revenue* * or up to 20 million € if you aren’t a corpora5on

Slide 49

Slide 49 text

Limited company? mgmt: 20m€ + upto 3 years of JAIL!

Slide 50

Slide 50 text

chill

Slide 51

Slide 51 text

Here’s the thing … • In data protecAon there is no right or wrong • You always work with risks • The people that can sue you are users, consumer protecGon centers and data protecGon authoriGes. • Users need to have real damages (idenBty theC, …) • And before they look at your blog, there are many many bigger fish to look at • Even if the authoriAes look into you, their punishment needs to be proporGonal ⚖

Slide 52

Slide 52 text

Compe

Slide 53

Slide 53 text

Resources • $ Rechtsbelehrung Podcast (ep. 54 + 55): h_ps:/ /rechtsbelehrung.com/ • $ Datenschutz-Guru Podcast: h_ps:/ /www.datenschutz-guru.de/category/ podcast/ • $: EU GDRP by EU: h_ps:/ /ec.europa.eu/commission/prioriAes/jusAce- and-fundamental-rights/data-protecAon/2018-reform-eu-data-protecAon- rules