Slide 1

Slide 1 text

GDPR FOR NERDS A NOT SO BORING (?) INTRO TO THE GDPR

Slide 2

Slide 2 text

WHOAMI FRANK LOUWERS @FRANK_BE BUILT, GREW AND SOLD A HOSTING COMPANY (15+ YEARS) FREELANCE CONSULTANT STARTUP: GDPR-BUTLER.EU

Slide 3

Slide 3 text

TINASP ! IANAL

Slide 4

Slide 4 text

GDPR FOR NERDS

Slide 5

Slide 5 text

GDPR … (BORING, BUT NEEDED) GDPR ▸ General ▸ Data ▸ Protection ▸ Regulation

Slide 6

Slide 6 text

GDPR … GENERAL ▸ Applies to “processors” in Europe: ▸ for all personal data they process, regardless of citizenship
 ▸ Applies to processors outside Europe: ▸ for all personal data they process for all EU inhabitants

Slide 7

Slide 7 text

GDPR … PERSONAL DATA ▸ any information relating to an ▸ identified or identifiable natural person (‘data subject’). ▸ An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Slide 8

Slide 8 text

GDPR … PROTECTING INDIVIDUALS’ RIGHTS ‣ Processed lawfully, fairly, transparently ‣ Purpose limitation ‣ Data minimisation ‣ Accurate and up-to-date processing ‣ Limitation of storage ‣ Confidential and secure ‣ Accountability and liability

Slide 9

Slide 9 text

GDPR … REGULATION ▸ EU “Regulation” ▸ effective without need to translate into local law
 ▸ All EU countries
 ▸ On May 25th 2018

Slide 10

Slide 10 text

TWTBS! T4AQ

Slide 11

Slide 11 text

DOES THE GDPR APPLY TO A US BANK, TARGETING US EXPATS LIVING IN EUROPE? SCOPE

Slide 12

Slide 12 text

DOES THE GDPR APPLY TO A US BANK, TARGETING US EXPATS LIVING IN EUROPE? SCOPE YES!

Slide 13

Slide 13 text

DOES THE GDPR APPLY TO FACEBOOK IRELAND, REGARDING JAPANESE CUSTOMERS? SCOPE

Slide 14

Slide 14 text

DOES THE GDPR APPLY TO FACEBOOK IRELAND, REGARDING JAPANESE CUSTOMERS? SCOPE YES!

Slide 15

Slide 15 text

“DATA” MEANS PII DATA?

Slide 16

Slide 16 text

“DATA” MEANS PII DATA? NO !

Slide 17

Slide 17 text

DATA PERSONAL DATA “The slightly-gray-haired-gentleman with glasses, at the Speakers Dinner, wearing a shirt that resembles the Slack logo” ‣ Not PII ‣ But is Personal Data Sorry Toshaan!

Slide 18

Slide 18 text

YOU MUST HAVE CONSENT IF YOU WANT TO PROCESS PERSONAL DATA LAWFUL PROCESSING

Slide 19

Slide 19 text

YOU MUST HAVE CONSENT IF YOU WANT TO PROCESS PERSONAL DATA LAWFUL PROCESSING NO !

Slide 20

Slide 20 text

TEXT LAWFUL PROCESSING: CONSENT ▸ Consent ▸ freely given ▸ specific ▸ informed ▸ unambiguous ▸ by a statement or by a clear affirmative action

Slide 21

Slide 21 text

TEXT LAWFUL PROCESSING ▸ Consent ▸ Contract ▸ Legal obligation ▸ Vital interests (forget this one …) ▸ Public task (forget this one …) ▸ Legitimate Interests (intra-group transfers, IT security, fraud prevention, marketing …)

Slide 22

Slide 22 text

I HAVE AN ABSOLUTE RIGHT TO BE FORGOTTEN! RIGHTS…

Slide 23

Slide 23 text

I HAVE AN ABSOLUTE RIGHT TO BE FORGOTTEN! RIGHTS… NO *!

Slide 24

Slide 24 text

I HAVE AN ABSOLUTE RIGHT TO BE FORGOTTEN! RIGHTS… NO *! *: it depends

Slide 25

Slide 25 text

RIGHT TO BE FORGOTTEN THE RIGHT TO BE FORGOTTEN SHOULD BE HONOURED … UNLESS YOU CAN’T ▸ Other obligation that has priority: ▸ Contract ▸ Legal obligation ▸ Vital interests ▸ Public task ▸ Legitimate Interests (but be careful)

Slide 26

Slide 26 text

RIGHTS OTHER RIGHTS… ▸ Right of access to data (“Subject Access Request” or SAR) ▸ Right to rectification ▸ Right to restrict processing ▸ Right to object ▸ Right to data-portability

Slide 27

Slide 27 text

MY ORGANISATION NEEDS A DPO DPO…

Slide 28

Slide 28 text

MY ORGANISATION NEEDS A DPO DPO… NO *!

Slide 29

Slide 29 text

MY ORGANISATION NEEDS A DPO DPO… NO *! *: it depends

Slide 30

Slide 30 text

DPO WHEN DO YOU NEED A DPO? ▸ Public Authority (even a tiny one) ▸ Core activities require regular and systematic processing at large scale ▸ Core activities involve processing on a large scale of “sensitive data”

Slide 31

Slide 31 text

DPO SENSITIVE DATA? ▸ Data about a subject’s: ▸ Health ▸ Genetics ▸ Biometrics ▸ Sexual preferences, orientation or data about sex life ▸ Political, religious, philosophical beliefs ▸ Trade Union membership ▸ Criminal records

Slide 32

Slide 32 text

GDPR FOR NERDS

Slide 33

Slide 33 text

HOW TO BECOME GDPR COMPLIANT?

Slide 34

Slide 34 text

GET GDPR- CERTIFIED!

Slide 35

Slide 35 text

GET GDPR- CERTIFIED! NO !

Slide 36

Slide 36 text

ADHERE TO A CODE OF CONDUCT

Slide 37

Slide 37 text

ADHERE TO A CODE OF CONDUCT NO !

Slide 38

Slide 38 text

BECOME ISO 27001 CERTIFIED

Slide 39

Slide 39 text

BECOME ISO 27001 CERTIFIED NO *!

Slide 40

Slide 40 text

BECOME ISO 27001 CERTIFIED NO *! *: it might help

Slide 41

Slide 41 text

GDPR CERTIFICATION IN FIVE EASY STEPS GDPR COMPLIANCY? 1. Think about the data your organisation processes and map them ▸ Requirement: “Register” of processing activities (eg gdpr-butler.eu) ▸ Why / Whose / What / When / Where 2. Think about security and privacy of your systems: ‣ Adequate security (encryption, access control, …) ‣ “Privacy by design”: eg. dev-DB contains no real data ‣ “Privacy by default”. Default settings ‣ ISO 27001 could be a guidance but is not even mentioned in the GDPR

Slide 42

Slide 42 text

GDPR CERTIFICATION IN FIVE EASY STEPS GDPR COMPLIANCY? 3. Be transparant and honest ‣ Privacy policy ‣ Mandatory: log Data breaches (gdpr-butler.eu) ‣ Have emergency plan in case of a breach ‣ Have a procedure to handle SARs (Subject Access Requests) 4. Third parties that proces your data? Contract needed (see next slide) 5. Open drawing app, design and print a nice GDPR Certified logo, frame it, hang it in your office and demand a pay raise!

Slide 43

Slide 43 text

CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON PROCESSORS ‣ Controller: the entity who “controls” (owns) the data ‣ Processor: party who “processes” data for a controller ‣ Sub-Processor: processor of a processor

Slide 44

Slide 44 text

CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON LEGAL CONTRACTS ‣ Needs to be a contract between controller and processor ‣ Most of it can be added to general T&C ‣ Important: shared liability, can not be shifted either way! ‣ Processor can use sub-processors, but must name them ‣ “It depends”: general description is enough in some cases ‣ In theory, controller can object to new sub-processor…

Slide 45

Slide 45 text

CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON WHAT IS PROCESSING? “operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

Slide 46

Slide 46 text

CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON WHAT IS PROCESSING? ‣ Hosting? Yes ‣ Backup services? Yes (unless client encrypts it before they hand it to you) ‣ Having R-O access to an analytics account and use that data to optimise site? Yes ‣ Having a root shell on the storage server of your customer? Yes ‣ Having access to the customer’s VPN router? Yes ➡ My advise. If in doubt, consider it is processing!

Slide 47

Slide 47 text

I CAN ONLY USE SERVERS IN THE EU WHERE ARE MY SERVERS?

Slide 48

Slide 48 text

I CAN ONLY USE SERVERS IN THE EU WHERE ARE MY SERVERS? NO *!

Slide 49

Slide 49 text

I CAN ONLY USE SERVERS IN THE EU WHERE ARE MY SERVERS? NO *! *: but it might make things easier

Slide 50

Slide 50 text

WHERE ARE THE SERVERS? WHERE THE FRAK ARE THE SERVERS? ‣ You can only use EEA (EU + Iceland + Norway + Lichtenstein) processors or subprocessors, unless: ‣ List of countries offering “equal protection” ‣ USA if Privacy Shield compliant ‣ most of Canada ‣ Switzerland, Argentina, Israel, New Zealand ‣ “Standard clauses”: model contract drafted by EU ‣ Binding Corporate Rules: international group of companies

Slide 51

Slide 51 text

AFTER MARCH 2019, I NEED EXTRA CONTRACTS FOR THE UK WHERE ARE MY SERVERS?

Slide 52

Slide 52 text

AFTER MARCH 2019, I NEED EXTRA CONTRACTS FOR THE UK WHERE ARE MY SERVERS? NO !

Slide 53

Slide 53 text

AFTER MARCH 2019, I NEED EXTRA CONTRACTS FOR THE UK WHERE ARE MY SERVERS? NO ! YES!

Slide 54

Slide 54 text

EVERY DATA BREACH NEEDS TO BE REPORTED PAPA DON’T BREACH …

Slide 55

Slide 55 text

EVERY DATA BREACH NEEDS TO BE REPORTED PAPA DON’T BREACH … NO *!

Slide 56

Slide 56 text

EVERY DATA BREACH NEEDS TO BE REPORTED PAPA DON’T BREACH … NO *! *: it depends

Slide 57

Slide 57 text

A DATA BREACH WILL RESULT IN A FINE PAPA DON’T BREACH …

Slide 58

Slide 58 text

A DATA BREACH WILL RESULT IN A FINE PAPA DON’T BREACH … NO *!

Slide 59

Slide 59 text

A DATA BREACH WILL RESULT IN A FINE PAPA DON’T BREACH … NO *! *: it depends

Slide 60

Slide 60 text

PAPA DON’T DATA-BREACH … DATA BREACHES ▸ All Data Breaches need to be noted in a register ▸ Breach likely to result in a risk to people’s rights and freedoms? 
 ➡ report within 72 hours of becoming aware of the breach ▸ You won’t get fined if you have a data breach! ▸ “Tell it all, tell it fast, tell the truth”

Slide 61

Slide 61 text

5P2TA…

Slide 62

Slide 62 text

5P2TA TAKE AWAY FROM THIS PRESENTATION… ▸ The GPDR is real, your organisation is probably affected! ▸ All “GDPR Certification” programs are bullsh*t ▸ Be transparant, think about data, security ▸ Controller - Processor agreements ▸ Work in/for a larger organisation? Prepare for data-breach and SAR

Slide 63

Slide 63 text

Q & A http://bit.ly/gdprfornerds (as of tomorrow) @FRANK_BE [email protected]