BidTheatre

The GDPR is a uniform legislation implemented across all EU countries, which applies to organisations, authorities and individuals. The purpose is to strengthen EU citizen control and protection of personal digital data while increasing transparency and the ability for European business to expand across borders.

GDPR will enter into effect 25th of May 2018. Failure to comply with the legislation may result in fines of the maximum of 20 MEUR or 4% of global company turnover. 

The individual owns its personal identifiable information (PII)

Companies must regard PII as borrowed, not owned

Accountability - Companies must be able to show why and how PII is used 

- The individual owns its personal identifiable information (PII)
- Companies must regard PII as borrowed, not owned
- Accountability - Companies must be able to show why and how PII is used 

Transparency - The right to pull stored PII

Rectification - The right to update information

Forgettability - The right to be forgotten

Portability - The right to have PII exported

- Transparency - The right to pull stored PII
- Rectification - The right to update information
- Forgettability - The right to be forgotten
- Portability - The right to have PII exported

All PII must be handled in a way that is legal, correct and transparent

Data can only be collected for certain purposes:Consent (must be documented, specific, optional and revokable)AgreementLegitimate Interest

The scale of collection must fit the purpose

Data cannot be stored in a form that enables identification for a length of time beyond the purpose of the data collection

- All PII must be handled in a way that is legal, correct and transparent
- Data can only be collected for certain purposes:Consent (must be documented, specific, optional and revokable)AgreementLegitimate Interest
- The scale of collection must fit the purpose
- Data must be correct and up to date
- Data cannot be stored in a form that enables identification for a length of time beyond the purpose of the data collection
- Data must be processed in a safe manner 

Documentation of all Data Processing and Data Processors

- Privacy by Design
- Privacy by Default
- Breach and Incident handling processes
- Designated Data Protection Officer
- Documentation of all Data Processing and Data Processors

The entity originally controlling the data

Bear primary responsibility for compliance with EU law

Must be able to demonstrate compliance with Data Protection Principles

- The entity originally controlling the data
- Bear primary responsibility for compliance with EU law
- Must be able to demonstrate compliance with Data Protection Principles

Any 3rd party that processes data on behalf of the controller

All data processors must fulfil GDPR Processor Requirements

- Any 3rd party that processes data on behalf of the controller
- All data processors must fulfil GDPR Processor Requirements

Data transfer allowed within the EU and some selected countries, such as Norway

Data transfer outside the EU is generally prohibited, unless:the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protectionthe data exporter puts in place appropriate safeguards; ora derogation or exemption applies

- Data transfer allowed within the EU and some selected countries, such as Norway
- Data transfer outside the EU is generally prohibited, unless:the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protectionthe data exporter puts in place appropriate safeguards; ora derogation or exemption applies

Introduction

Stronger Individual Rights

Data Protection Principles

Technical and Organisational Impact

Roles

The Data Controller

The Data Processor

Data Transfer