Data Privacy: General Data Protection Regulation

Na Sambathchatovong

Cyber Researcher

1 General Data Protection Regulation (GDPR)

Learning Objectives

Who is who?

What is personal data?

What are the consequences?

Data protection principles and rights

Our company’s data protection policy

2 General Data Protection Regulation (GDPR)

What’s has changed?

Data Protection Act

General Data Protection Regulation (GDPR)

3 General Data Protection Regulation (GDPR)

If Data Protection Law applies

A data controller will have a certain number of obligations

As well as his data processor

4 General Data Protection Regulation (GDPR)

A data subject will have a certain number of rights

5 General Data Protection Regulation (GDPR)

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data

a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

6 General Data Protection Regulation (GDPR)

An identified or identifiable natural person whose personal data are being processed (by the data controller)

7 General Data Protection Regulation (GDPR)

Who is who?

8 General Data Protection Regulation (GDPR)

“A travel agency sends personal data of its customers to the airlines and a chain of hotels, with a view to making reservations for a travel package. The airline and the hotel confirm the availability of the seats and rooms requested. The travel agency issues the travel documents and vouchers for its customers”.

​

​

Who is the data controller?

9 General Data Protection Regulation (GDPR)

“Social network service providers provide online communication platforms which enable individuals to publish and exchange information with other users. …The users of such networks, upload(…) personal data also of third parties”.

​

​

Who is the data controller?

10 General Data Protection Regulation (GDPR)

Article 29 WP

“Social network service providers provide online communication platforms which enable

individuals to publish and exchange information with other users. These service providers

are data controllers, since they determine both the purposes and the means of the

processing of such information. The users of such networks, uploading personal data also

of third parties, would qualify as controllers provided that their activities are not subject

to the so-called "household exception"”. [2010]

11 General Data Protection Regulation (GDPR)

12 General Data Protection Regulation (GDPR)

What is personal data?

• “... information relating to a living individual who can be identified from that data...”
• “…it may include expressions of opinion…”
• “…held in manual or electronic systems…”
• ICO guidance

13 General Data Protection Regulation (GDPR)

What constitutes personal data?

Our company’s annual report

Your salary details

Your medical information

Your name and date of birth

Your anonymous response to a survey question

Your photo or image on a CCTV camera

NO

YES

YES

YES

NO

YES

14 General Data Protection Regulation (GDPR)

What is personal data under GDPR?

“...IP addresses...”

“…automated personal data and data held in manual systems…”

“…key-coded (pseudonymised) personal data…”

Sensitive personal data

Special categories of personal data (Article 9)

15 General Data Protection Regulation (GDPR)

Special categories of personal data

Your name and date of birth

Racial or ethnic origin

Genetic data

Religious or political beliefs

Data concerning sex life or sexual orientation

Biometric data

NO

YES

YES

YES

YES

YES

16 General Data Protection Regulation (GDPR)

Lawful processing

1. Explicit consent of the data subject
2. Necessary for the performance of a contract
3. Necessary for legal or judicial reasons
4. Necessary to protect the data subject’s �best interests
5. Necessary to perform a task carried out in the public interest
6. Necessary for legitimate interests

​

17 General Data Protection Regulation (GDPR)

What rights do data subjects have?

I don’t want to receive your marketing letters and promotions

I want to be able to take my data and reuse it on other platforms

Did I agree to that? I didn’t see a privacy notice on your website when I typed in my details

Does the right to be forgotten apply to me?

I want to have any errors corrected

I want to find out what data you have about me and how you’re using it

Please stop using my data until you’ve checked there is a legitimate purpose

18 General Data Protection Regulation (GDPR)

Rights of individuals under GDPR:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure (“right to be forgotten”)
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights on automated decision making & profiling

19 General Data Protection Regulation (GDPR)

When it goes wrong

TalkTalk fined £400k by ICO for cyber attack

1b customer accounts hacked, admits Yahoo

Shop owner fined for using instore CCTV without registering

Social worker drives off with family court data on roof

Loan company fined £70k for spam texts

Insurance firm fined £150k for losing 60,000 customers’ data

20 General Data Protection Regulation (GDPR)

When it goes wrong

21 General Data Protection Regulation (GDPR)

Data breach notifications

A data breach only occurs when data is lost

No. It can occur if data is accessed inappropriately due to a lack of internal controls

Breaches are only serious if data is actually taken

Look at Yahoo – isn’t it best to keep quiet?

No. Unauthorised access, disclosures, loss, destruction, and alteration are also serious

No. Under GDPR, you just have 72 hours �to notify of data breaches

22 General Data Protection Regulation (GDPR)

You make the call: Is it a breach?

“She asked me to remove her information from our systems – but it’s required for regulatory reasons so I refused”

​

Breach

No Breach

✔

23 General Data Protection Regulation (GDPR)

You make the call: Is it a breach?

“At first, he gave us his consent to use his data but then he changed his mind – I told him that it wasn’t allowed”

​

Breach

No Breach

✔

24 General Data Protection Regulation (GDPR)

You make the call: Is it a breach?

“We assumed she gave us her consent because she placed an order with us and friended us on social media”

​

Breach

No Breach

✔

25 General Data Protection Regulation (GDPR)

Our Data Protection Policy

1. What personal data we use and how
2. Our rules and procedures – creating, storing, sharing and disposing of personal data safely
3. Identifying our Data Protection Officer and how to contact them
4. Requiring everyone to read and implement our Data Protection Policy

26 General Data Protection Regulation (GDPR)

To Do

27 General Data Protection Regulation (GDPR)

Do

• Read our Company's Data Protection Policy – make sure you understand the rules and why they're important
• Follow our policies and rules whenever you use personal data – taking particular care to prevent unauthorised access, loss, theft or alteration
• Speak out promptly if you accidentally lose, delete or transfer personal data to someone else – our firm has just 72 hours to report it
• Talk to your manager or our Data Protection Officer if you have any questions or concerns

28 General Data Protection Regulation (GDPR)

Don’t

• Keep using customers’ personal data for marketing if they ask you to stop
• Transfer personal data outside the EU without ensuring there are adequate protections in place
• Leave personal data lying around on a desk or unattended onscreen
• Collect or use children’s personal data without getting parental consent first

29 General Data Protection Regulation (GDPR)

Privacy and Data Protection in the age of COVID-19:

Does Data Protection hinder the measures that need to be taken for public health?

30 General Data Protection Regulation (GDPR)

Does the processing of health data by public authorities open the door to surveillance?

​

Privacy and Data Protection in the age of COVID-19:

31 General Data Protection Regulation (GDPR)

Any Questions?

32 General Data Protection Regulation (GDPR)