1 of 15

GDPR

General Data Protection Regulation

by Ronni Kahalani, Copenhagen School of Design & Technology.

GDPR guidelines for protection of user/customer data.

https://gdpr-info.eu/

2 of 15

Who am I?

Thank you for stopping by.

I’m Ronni. I hope you’re well and wish you a safe and worthy journey.

This presentation is part of the Software Engineering Series, from my lectures at Copenhagen School of Design & Technology.

You can view the Introducing Myself, if you want to know a little more about who I am.

All my presentations and materials are free and available at my blog post: Software Engineering.

Don’t let me uphold you,

continue your journey, go to next slide.

2

X /Twitter

@RonniKahalani

�LinkedIn

https://www.linkedin.com/in/kahalani/

�Blog�LearningIsLiving

3 of 15

Agenda

  • What is GDPR?
  • Key principles and provisions
  • Examples of organizations that have faced fines related to GDPR

4 of 15

What is GDPR?

GDPR stands for the General Data Protection Regulation.

It’s designed to give individuals greater control over their personal data while imposing stricter obligations on organizations to handle data responsibly and securely.

It has had a profound impact on the way organizations handle data privacy and has influenced privacy laws globally. �

    • Who should know about this?
      • Everyone participating in the project, especially the data modelling team.�
    • What are the consequences of breaking these rules?
      • Heavy economic fines.

5 of 15

What is GDPR?

  • It is a comprehensive data protection and privacy regulation implemented in the European Union (EU) and the European Economic Area (EEA). GDPR came into effect on May 25, 2018, and it replaced the previous Data Protection Directive.
  • The primary goal of GDPR is to protect the personal data and privacy of individuals within the EU and EEA and to harmonize data protection laws across the region.
  • It applies to all organizations that process or handle personal data of EU citizens, regardless of where the organization is located. This means that any company worldwide that deals with the personal data of EU citizens is subject to GDPR compliance.

6 of 15

Key principles and provisions

Consent

  • It requires clear and explicit consent from individuals for processing their personal data. Consent must be freely given, specific, informed, and unambiguous.

Data Subject Rights

  • GDPR grants individuals several rights, including the right to access, rectify, erase, restrict processing, and the right to data portability.

Data Protection Officer (DPO)

  • Some organizations are required to appoint a Data Protection Officer responsible for monitoring compliance and data protection matters.

Data Breach Notification

  • Organizations must notify relevant authorities and affected individuals within 72 hours of becoming aware of a data breach that poses a risk to individuals' rights and freedoms.

Accountability and Privacy by Design

  • Organizations are required to implement measures that ensure data protection is considered from the outset of any data processing activities.

Data Transfers

  • When transferring personal data outside the EU/EEA, organizations must ensure adequate safeguards are in place to protect the data.

Penalties

  • GDPR has significant fines for non-compliance, with penalties of up to 4% of the global annual revenue of a company or €20 million, whichever is higher.

7 of 15

Examples of organizations that have faced fines related to GDPR ( until 2001)

These are just a few examples, and there have been several other fines and penalties imposed on organizations for non-compliance with GDPR across different EU member states since its implementation.

The enforcement of GDPR remains an ongoing process as authorities continue to investigate and respond to data breaches and privacy violations.

Up to that point. However, please note that there may have been additional cases and fines after last update. Some notable examples of GDPR fines up to September 2021 include:

8 of 15

Google LLC (€50 million)

January 2019, France's data protection authority, CNIL, fined Google €50 million for:

  • Lack of transparency.
  • Inadequate information provided to users.
  • Insufficient consent mechanisms for personalized advertisements.

9 of 15

British Airways (£183 million)

July 2019, the UK's Information Commissioner's Office (ICO) issued a notice of intent to fine British Airways £183 million:

  • for a data breach that exposed the personal data of approximately 500,000 customers.

10 of 15

Marriott International (£99 million)

July 2019, the ICO announced its intention to fine Marriott International £99 million for:

  • data breach that affected around 339 million guest records across the EU.

11 of 15

H&M (€35.3 million)

October 2020, the Hamburg Data Protection Authority in Germany fined H&M €35.3 million for:

  • unlawfully collecting and storing employees' personal data.

12 of 15

Amazon (€746 million)

December 2020, the Luxembourg National Commission for Data Protection (CNPD) issued a fine of €746 million to Amazon for:

  • alleged violations of GDPR related to its data processing practices.

13 of 15

TIM - Telecom Italia (€27.8 million)

January 2021, the Italian data protection authority, Garante, fined TIM €27.8 million for:

  • various GDPR violations related to unsolicited marketing communications.

14 of 15

Questions?

Anything? What’s on your mind? Come on ask me anything…

15 of 15

Feedback?

Thank you for your precious time.

I hope it was worth it and would love to get your feedback.

Please share your feedback here