GDPR

8th April 2016

The Council adopted the Regulation.

Article 33: Notification of a personal data breach to the supervisory authority

- A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. - Data controllers are obliged to report security breaches to the relevant supervisory authority without undue delay; - Where feasible, not later than 72 hours after they first become aware. - If not made within 72 hours, a justification for the delay must be provided. - Not necessary to notify where breach is "unlikely to result in a risk for the rights and freedoms" of data subjects. - The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

Countries the EU considers as having adequate data protection laws

- Andorra - Argentina - Canada - Faroe Islands - Guernsey - Isle of Man - Israel - Jersey - New Zealand - Switzerland - Uruguay

Article 82: Right to compensation and liability

- Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. - The controller shall be liable only for damage cause by processing or where it has acted contrary to lawful instructions of the controller. - The processor is liable only for damage cause by processing. - Joint and several liability to ensure effective compensation. - Compensation clawback provision.

Article 44: General principle for transfers

- Any transfer of personal data by controller or processor to a third country or an international organisation shall only take place if: > Specific conditions (Articles 45-47) are compliance with; and > All provisions are applied to ensure the protection of natural persons is not undermined.

Article 47: Binding corporate rules

- Are legally binding and are enforced by every member concerned in a group of undertakings or group of enterprises engaged in a joint economic activity, including employees; - Expressly confer enforceable rights on data subjects; and - fulfil the requirements laid down in the article: > structure and contact details of the gourp of undertakings; > categories of personal data and types of processing; > third countries involved; >application of data protection principles; > rights to legal redress, etc.

No Restrictions on Transfers to EEA countries

- Austria - Belgium - Bulgaria - Croatia - Cyprus - Czech Republic - Denmark - Estonia - Finland - France - Germany - Greece - Hungary - Inceland - Ireland - Latvia - Liechtenstein - Lithuania - Luxembourg - Malta - Netherlands - Norway - Poland - Portugal - Slovakia - Slovenia - Sweden - United Kingdom

Article 40: Codes of conduct

- Codes of conduct may be made available at national and European level. > By associations and other representative bodies with regard to any aspect of the GDPR. > Compliance with codes of conduct is another method for organisations to demonstrate they have taken steps to implement appropriate policies and procedures.

Article 38: Position of the data protection officer

- Controller and processor must ensure active involvement of the DPO. - Controller and processor must provide necessary resources. DPO has a large degree of independence: > Direct access to highest management. > Data subject has clear access to DPO. > Bound by confidentiality. > No conflict of interest arising from additional tasks or duties.

Article 7: Conditions for consent

- Controllers must be able to demonstrate that consent was given, - Written consent must be clear, intelligible and easily accessible, otherwise not binding. - Consent can be withdrawn any time, and it must be as easy to withdraw consent as give it. - Consent to processing data is not necessary for the performance of a contract. - Ticking a box or coshing appropriate technical settings is till valid.

Article 35: Data protection impact assessment

- DPIA must be performed where processing is likely to result in a high risk to the rights and freedoms of natural persons. -It shall contain at least: > A description of processing and operations. > An assessment of the necessity and proportionality of the processing. > An assessment of the risks to the rights and freedoms of data subjects. > The measures envisaged to address the risks. > Evidence of compliance with approved codes of conduct. > A statement as to whether data subjects have been consulted.

Article 6: Lawfulness of processing

- Data subject gives consent for one or more specific purposes. - Processing is necessary to meet contractual obligations entered into by the data subject. - Processing is necessary to comply with legal obligations of the controller. - Processing is necessary to protect the vital interests of the data subject. - Processing is necessary for tasks in the public interest or exercise of authority vested in the controller. - Processing is for the purposes of legitimate interests pursued by the controller.

Article 77: Right to lodge a complaint with a supervisory authority

- Every data subject has the right to launch a complaint with a supervisory authority. - The supervisory authority shall inform the complainant of progress, including the possibility of judicial remedy.

Article 8: Conditions applicable to child's consent for information society services

- If consent is given and the child is at least 16 years old. - Below the age of 16 years old, parental authorisation is required. - Member States may reduce the definition, but not below 13 years. - Controller shall make reasonable efforts to verify authorisation. - Rules on the validity, formation or effect of a contract in relation to a child shall not be affected. - Information Society Services - Google. eBay etc.

Article 24: Responsibility of controller

- Implement appropriate technical and organisational measures. - Implement data protection policies. - Adhere to codes of conduct to demonstrate compliance.

Article 83: General conditions for imposing administrative fines

- Imposition of administrative fines will in each case be effective, proportionate and dissuasive. - Must take account of: > the nature, gravity and duration of the infringement; > the intentional or negligent character of the infringement; > any action taken by the controller or processor to mitigate the damage suffered by data > the degree of responsibility of the controller or processor taking into account technical and organisational > any relevant previous infringements > the degree of cooperation > the categories of personal data affected by the infringment > the manner in which the infringement became known > where corrective powers have previously been ordered against the controller or processor > adherence to approved codes of conduct or approved certification mechanisms > and any other aggravating or mitigating factors

Article 51 - 52: Supervisory authority

- Member States must provide one of more independent supervisory authorities: > monitor the application of the GDPR. > supervisory authorities must act independently. > Member States must provide adequate resources. - Lead supervisory authorities: > entities operating in more than one state can choose a lead supervisory authority for all their pan-EU activities. > monitor compliance in respect of cross-border processing by an organisation whose main establishment is in Member State.

Article 23: Restrictions

- National security - Defence - Public security - All activities related to prosecution of criminal offences. - Economic or financial interests of the Union of of a Member State, including public health and social security. - The protection of judicial independence and judicial proceedings. - The prevention, investigation, detection and prosecution of breaches of ethics for regulate professions. - A monitoring, inspection or regulatory function connected with the aforementioned activities. - The protection of the data subject or the rights and freedoms of others. - The enforcement of civil law claims.

Article 50: International cooperation for the protection of personal data

- October 2015: Court of Justice (ECJ) declares Safe Harbour invalid. - April 2015: Article 2015: Article 29 Working Party identified several serious flaws in Safe Harbor framework: > fails to meet EU adequacy standards; > lack of a data retention principle; > the massive and indiscriminate collection of data for national security purposes; > insufficiency of legal remedies. - July 2016: EU - US Privacy Shield agreed and in place.

Article 48: Transfer subject to appropriate safeguards

- Personal data transferred only where there are appropriate safeguards, enforceable data subject rights and legal remedies. - The appropriate safeguards may be provided by: > a legally binding and enforceable instrument between public authorities or bodies; > binding corporate rules in accordance with the GDPR; > standard data protection clauses adopted by the Commission; approved codes of conduct.

Article 28: Processor

- Processes the personal data only on documented instructions from the controller; - Ensures that persons authorised to process the personal data observe confidentiality; - Takes appropriate security measures; - Respects the conditions for engaging another processor; - Assists the controller by implementing appropriate technical and organisational measures; - Assists the controller in ensuring compliance with the obligations in respect of security of processing; - Deletes or returns all the personal data to the controller after the end of the provision of services; and - Makes available to the controller all information necessary to demonstrate compliance with the Regulation.

Article 21: Right to object

- Processing for a task in the public interests; - Processing based on legitimate interests: > processing of personal data for direct marketing; > processing of data for profiling; > processing of data by automated means; > processing for scientific or historical purposes.

Article 32: Security of processing

- Pseudonymisation and encryption of personal data. - Ensuring the ongoing confidentiality, integrity and availability of systems. - A process for regularly testing, assessing and evaluation the effectiveness of security measures. - Taking security measures that comply with the concept of data protection by design. - Taking steps to ensure that any natural person working for the controller or processor only processes data under explicit instruction unless required to do so by EU or Member State law.

Article 9: Processing of special categories of personal data

- Race - Ethnic origin - Political opinions - Religion - Philosophical beliefs - Trade Union membership - Geneticdata - Biometric data - Health data - Concerning a natural person's sex life - Sexual orientation

Article 3: Territorial Scope

- Recital 14: 2The protection afforded by this Regulation should apply to natural persons, whatever thei nationality or place of residence, in relation to the processing of their personal data." - Applies to processing activities that are related to goods or services, irrespective of whether payment is required, or the monitoring of data subjects' behaviour within the EU. - It applies to controllers not in the EU, but where Member State law applies.

Article 16: Right to rectification

- Right to have incomplete data complete - Including by means of a supplementary statement.

Article 78: Right to an effective judicial remedy against a supervisory authority

- Right to judicial remedy against a legally binding decision. - Right to a judicial remedy where the supervisory authority does not handle a complaint or does not inform data subject of progress or outcome. - Judicial remedy shall be brought before the courts of the Member State where the supervisory authority is established.

Article 79: Right to an effective judicial remedy against a controller or processor

- Right to judicial remedy where their rights have been infringed as a result of the processing of personal data. - Proceedings shall be brought before the courts of the Member State where the controller or processor has an establishment.

Article 70: Tasks of the Board

- Role is to ensure cooperation, communication and mutual assistance between supervisory authorities. - Apply the consistency mechanism in the application of the Regulation throughout the Union. - Where there are disputes, adopt and circulate a binding decision. - Monitor and ensure the correct application of the Regulation. - Advise the Comission on issues related to personal data. - Advise the Comission on the format for the exchange of information. - Issue guidelines, recommendations and best practices. - Examine any question covering the application of the Regulation.

Article 43: Certification bodies

- Subject to approval by supervisory authorities. - Must demonstrate independence and expertise.

Territorial Scope

- The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. - It applies to processing activities that are related to goods or services, irrespective of whether payment is required and the monitoring of data subjects' behaviour within the EU.

Article 18: Right to restriction of processing

- The accuracy of the personal data is contested by the data subject. - The processing is unlawful, and the data subject opposes the erasure of the personal data, and requests the restriction of their use instead. - The controller no longer needs the personal data for the purposes of the original processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims. - The data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Article 25: Data protection by design and by default

- The controller shall implement appropriate technical and organisational measures. - Only data necessary for each specific purpose is processed. - The obligation applies to the following: > the amount of data collected; > the extent of the processing; > the period of storage; > the accessibility to that data. - Personal data may not be made accessible to an indefinite number of natural persons without the individual's intervention. - Pseudonymisation and minimisation are recognised techniques in data protection by design.

Article 17: Right to erasure (right to be forgotten)

- The data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. - The data subject withdraws the consent on which the processing is based and where there is no other legal ground for the processing. - The data subject objects to the processing and there are no overriding legitimate grounds from the processing. - The personal data have been unlawfully processed. - The personal data have to be erased for compliance with a legal obligation. - The personal data have been collected in relation to the offer of information society services.

Article 20: The right to data portability

- The data controller must provide the data subject with a copy of personal data in a structured, common used and machine-readable format. - The data controller must not hinder the transmission of personal data to a new data controller. - The right of data portability only applies where: > data is processed by automated means; an > the data subject has provided consent to the processing or the processing is necessary to fulfil a contract; and > the data was provided by the data subject.

Article 9: Exceptions

- The data subject has given explicit consent - It is necessary to fulfil the obligations of controller or of the data subjects - It is necessary to protect the vital interests of the data subject - Processing is carried out by a foundation or not-for-profit organisation - The personal data has manifestly been made public by the data subject - Establishment, exercise or defence of legal claims - Reasons of public interest in the area of public health - Archiving purposes in the public interest - A Member state has varied the definition of a special category

Article 14: When obtaining personal data other than from the data subject, the controller shall provide the data subject with all of the following information (privacy notice)

- The identity and contact details of the controller and their representative. - From which source the personal data originate, and if applicable, whether it came from publicly accessible sources. - The identity and contract details of the controller and their representative. - The contact details of the data protection officer, where applicable. - The purposes as well as the legal basis of the processing. - The categories of personal data concerned. - The recipients of the personal data, where applicable. - The fact that the controller intends to transfer personal data to a third country and the existence of adequacy conditions.

Article 13.1: Information to be provided where personal data collected from the data subject

- The identity and contact details of the controller and their representative. - The contact details of the data protection officer. - The purposes of the processing as well as the legal basis for the processing. - The legitimate interests pursued by the controller or by a third party. - The recipients or categories of recipients of the personal data, if any. - The fact that the controller intends to transfer personal data to a third country and the existence of adequacy conditions.

Article 30: Records of processing activities

- The name and contact details of the controller, joint controller, controller's representative and data protection officer. - The purposes of the processing. - A description of the categories of data subjects and of the categories of personal data. - The categories of recipients to whom the personal data have been or will be disclosed. - International transfers of personal data and the documentation of appropriate safeguards. - The envisaged time limited for erasure of the different categories of data. - A general description of the technical and organisational security measures implemented.

Article 13.2: Information to be provided where personal data collected from the data subject.

- The period of time that the data will be stored. - The right to rectification, erasure, restriction, objection. - The right to data portability. - The right to withdraw consent at any time. - The right to lodge a complaint with a supervisory authority. - The consequences of the data subject's failure to provide data. - The existence of automated decision-making, including profiling, as well as the anticipated consequences for the data subject.

Article 15: Right of access by the data subject

- The purposes of the processing. - The categories of personal data concerned. - The recipients to whom the personal data have been or will be disclosed. - The period for which the personal data will be stored. - The right to rectification, erasure, restriction or objection. - The right to lodge a complaint with a supervisory authority. - Where the personal data are not collected from the data subject, any available information as to their source.

Article 45: Transfer on the basis of adequacy

- The rule of law; - Respect for human rights and fundamental freedoms; - Relevant legislation, both general and sectoral, including: > concerning public security; > defence; > national security; > criminal law.

Article 27: Representatives of controllers or processors not established in the Union

- They shall designate in writing a representative in the Union. - A representative shall be established where data processing or profiling resides. - The representative shall be mandated to be addressed by supervisory authorities and data subjects for the purposes of the Regulation. - Designation of a representative does not absolve controller or processor from legal liabilities.

Article 39: Tasks of the Data Protection Officer

- To inform and advise. - To monitor compliance. - To provide advice with regard to data protection impact assessments. - To cooperate and liaise with the supervisory authority. - To be a point of contact for data subjects. - To have due regard to risk associated with processing operations.

Article 42: Certification

- Transfer of personal data to third countries. - Certification will be voluntary. - Certification does not absolve controller of need to comply. - Processing certified for a maximum of three years.

Article 37: Designation of the Data Protection Officer

- Where the processing is carried out by a public body. - Where core activities require regular and systematic monitoring of personal data on a large scale. - Where core activities involve large-scale processing of special categories of data.

Article 34: Communication of personal data breach to the data subject

- Where there is a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. - Communication of the breach to the data subject shall be describes in clear and unambiguous terms. - Breach notification to the data subject is not required if: > the personal data has been rendered unintelligible to any person who is not authorised to access it, such as through encryption; > the controller has measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; > it would involve disproportionate effort. In such a case, there shall instead be a public communication, or similar measure, whereby the data subjects are informed in an equally effective manner. - Supervisory authority may direct controller to notify data subject if it considers personal data breach to be a high risk.

Six Principles for processing personal data

1. Processed lawfully, fairly and in a transparent manner. 2. Collected for specified, explicit and legitimate purposes. 3. Adequate, relevant and limited to what is necessary. 4. Accurate and, where necessary, kept up to date. 5. Retained only for as long as necessary. 6. Processed in an appropriate manner to maintain security.

Recipient

A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Third Party

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Personal Data

Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

10,000,000 EUR or 2% of global turnover (whichever is greater).

Articles: - 8: Child's consent - 11: Processing not requiring identification - 25: Data protection by design and by default - 26 - 29 & 30: Processing - 31: Cooperation with the supervisory authority - 32: Data security - 33: Notification of breaches to supervisory authority - 34: Communication of breaches to data subjects - 35: Data protection impact assessment - 36: Prior consultation - 37 - 39: DPO's - 41(4): Monitoring approved codes of conduct - 42: Certification - 43: Certification bodies

20,000,000 EUR or 4% of global turnover (whichever is greater).

Articles: - 5: Principles relating to the processing of personal data - 6: Lawfulness of processing - 7: Conditions for consent - 9: Processing special categories of personal data (i.e. sensitive personal data) - 12 - 22: Data subject rights to information, access, rectification, erasure, restriction of processing, data portability, object, profiling - 44 - 49: Transfers to third countries - 58(1): Requirement to provide access to supervisory authority - 58(2): Orders/limitations on processing or the suspension of data flows

Article 12 - 18, 20, 21 & 23 Summary

Degree of Change: Medium Risk: Medium - Existing rights remain the same. - New right - the right to be forgotten. - New right - the porting of personal data. How to demonstrate compliance: - Establish/review processes, procedures and training.

Articles 77 - 84 Summary

Degree of change: High Risk: High - Supervisory authorities are empowered to impose significant administrative fines on both data controllers and processors. How to demonstrate compliance: - Consider an audit of internal controls and processes - Review privacy risks - Review supplier relationships (e.g. liabilities)

Articles 24 - 25, 27 - 28, 30, 32 - 35, 37 - 40 & 42 - 42 Summary

Degree of change: High - Revised codes of conduct. - Data protection impact assessments. - Requirement to appoint a Data Protection Officer. Risk: The GDPR requires the implementation of technical and organisational measure to reduce risk. How to demonstrate compliance: - Data protection governance and information risk management. - Training and awareness. - Records management. - Security of personal data - Requests for personal data. - Data sharing.

Articles 51 - 52, 58 & 70 Summary

Degree of change: High. Risk: Medium - supervisory authorities are given specific competence to act on their own territory. How to demonstrate compliance: - Identify the main supervisory body for your organisation.

Articles 44 - 45, 47 & 50 Summary

Degree of change: Low. GDPR obligations are broadly similar to those of the DPA. Risk: High. Non-compliance with data transfer provisions is one of the areas for which maximum level of administrative fine can be imposed. How to demonstrate compliance: - Supplier contracts with appropriate information security and privacy clauses: > supplier risk assessments; > binding corporate rules/standard contract clauses; > approved certification (e.g. Privacy Shield).

Articles 1 - 4 Summary

Degree of change: Medium Risk: High - The definition of personal data is broader - The GDPR has greater territorial reach. How to demonstrate compliance: - Establish and maintain a data inventory.

Articles 5 - 9 Summary

Degree of change: Medium. In general, the principles remain similar to the Data Protection Directive. Risk: High. The principles form the core of the Regulation. Non-compliance with these principles is likely to have the highest impact in terms of monetary penalty and reputational damage. How to demonstrate compliance: - Risk assess the impact of new rules (e.g. for processing children's data, consent, etc.) - Consider the effectiveness of your organisation's control framework (e.g. gap analysis against a good practice framework such as ISO 27001 or BS 10012).

Article 58: Powers

Each supervisory authority: > shall have investigative powers. > shall have corrective powers. > shall have authorisation and advisory powers. > will have legal power to enforce. > shall be subject to judicial remedy. > is not limited by its Member State.

25th May 2018

GDPR went live and applies in all EU Member States.

Article 2: Material Scope

IN: - Personal data the is processed wholly or partly by automated means. - Personal data that is part of a filing system, or intended to be. OUT: - Personal data used in the course of an activity outside of EU law. -Personal data used in border checks, asylum and immigration status. - Personal data used in relation to a purely personal activity. - Personal data used for the purpose of crime prevention, etc.

Data Subject

Identified or identifiable natural person.

Encryption

Making data inaccessible without the specific decryption key.

Anonymisation

Making it impossible to identify a specific data subject. This effectively places the data outside the GDPR.

Natural Persons

One who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4th May 2016

The Official text of the Regulation was published in the EU Official Journal in all official languages.

24th May 2016

The Regulation entered into force.

14th April 2016

The Regulation was adopted by European Parliament.

Article 21: Exceptions

The controller must demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, of for the establishment, exercise of defence of legal claims.

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

The controller shall provide any information or communication referring to the data subject in a - Concise - Transparent - Intelligible and - Easily accessible form - Using clear and plain language - In particular for any information addressed specifically to a child. The controller must facilitate the exercise of data subject's rights (Data Subject Access Request) - Time period reduced from 40 days to 1 month - Fees abolished

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Article 33: Notification of a personal data breach to the supervisory authority (cont.)

The notification shall at least: - Describe the nature of the personal data breach, including, where possible: > categories and approximate number of data subjects; > categories and approximate number of personal data records. - Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; - Describe the likely consequences of the personal data breach; - Describe the mitigating measures taken or proposed to be taken by the controller to address the personal data breach. The controller: - May provide information in phases; - Shall document facts to a degree that enables the supervisory authority to verify compliance with this Article.

Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Administrative Fines

Tier 1: 10 million EUR, or 2% of annual turnover, whichever is greater. Tier 2: 20 million EUR, or 4% of annual turnover, whichever is greater.

Consent

of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.