GDPR
Territorial Scope (art 3)
1. Within the EU: The GDPR applies to any business, whether they are based in the EU or not, that processes personal data as part of its activities in an EU establishment. This means that if a company has an office, branch, or any kind of presence in the EU, GDPR rules apply to all levels of processing of personal data, even if this occurs outside the EU. For instance, a US tech company with an office in Berlin, Germany, must follow GDPR rules everywhere, including the US. 2. Businesses outside EU but interacting with EU residents: - Selling or offering services: If a company outside the EU sells products or offers services to someone inside the EU, must follow GDPR rules (ie. website in USA selling to someone in France). - Watching behavior: If a company tracks what people in the EU do online (like using cookies to see what you browse) it must follow GDPR rules. Ie. Japanese company that has a popular news site that uses cookies to track what people read and how long they spend on certain pages, so they can improve their content accordingly. If this website has a visitor from EU, they must cohere to GDPR guidelines. 3. EU Laws Abroad (Embassies): GDPR applies to some places outside the EU where EU laws are still in effect, like European embassies. (ie. embassy of France in Australia)
*Data Protection Impact Assessments (DPIA) (art 35)
A DPIA is a process designed to help organizations identify and minimize the data protection risks of a project or plan involving personal data. It is particularly necessary when the planned data processing is likely to result in a high risk to the rights and freedoms of individuals, such as privacy breaches.
Data Breach (art 33 and 34)
A data breach occurs when secure or private/confidential information is released to an untrusted environment. This can happen due to unauthorized access, accidental disclosure, or even a result of a cyber attack. A breach might involve various types of information, including personal data, financial details, health records, corporate secrets, or any other significant data. (credit card example)
Patient Tracking Hospital Example
A hospital plans to introduce a new patient tracking system that uses electronic tags to monitor the locations of patients within the hospital. This system is intended to improve patient safety and staff efficiency. Why a DPIA is Needed: This system involves closely monitoring the movements of individuals, which could potentially invade their privacy. The system will collect sensitive information about where patients spend most of their time, who they are with, and their health status based on their location (e.g., spending time in certain treatment areas).
Supervisory Authority
A supervisory authority in the context of the GDPR is an independent public authority established by a member state of the EU to oversee, monitor, and enforce the application of the GDPR.
Administrative Fines (art 83)
Administrative Fines, in the context of the GDPR, are financial penalties imposed by supervisory authorities on organizations that fail to comply with the requirements of the GDPR. These fines are designed to enforce compliance, prevent violations, and ensure that organizations take data protection seriously.
Transfers of the Basis of an Adequacy Decision (art 45)
An adequacy decision is essentially a stamp of approval from the European Commission (administrative body within the EU) that says a non European Union country or an international organization has strong enough privacy laws to protect personal data just like in the EU. When this decision is made, it means that personal data can be sent from the EU to that country or organization without needing any additional safeguards or specific authorizations. This makes it simpler and safer to share data across borders, supporting global business and cooperation, all while maintaining high data protection standards. (Canada example)
Automated Decision Making (art 22)
Automated individual decision making, including profiling, refers to the process where decisions are made entirely by automated means without human involvement. So the GDPR gives individuals the right not to be subjected to decisions made by fully automated decision processing, including profiling, that have a significant impact on them. This could include decisions on credit eligibility, hiring, or insurance pricing that are made by algorithms without human intervention. ex. job recruitment tool
More Severe Case + Example
Fines can reach up to 20 million pounds or 4% of the annual global turnover, whichever is higher. This category includes more critical violations like breaches of basic data processing principles and rights of data subjects. More severe cases typically involve breaches that pose a direct risk to individuals' rights and freedoms, such as unauthorized access to or misuses of personal data. Unauthorized Healthcare Use of Sensitive Data: A healthcare clinic experiences a data breach where sensitive patient records, including medical histories and personal identifiers, are exposed and accessed without authorization. This type of breach compromises the basic principles of data protection, such as confidentiality, integrity, and the privacy rights of the patients.
GDPR
General Data Protection Regulation. It is European Union regulation on data protection and privacy in the EU and European Economic Area. It's a rulebook for companies dealing with personal data in the EU or dealing with EU residents, regardless of where the company is based. Its main purpose is to give individuals control over the personal data and to simplify how businesses handle privacy across Europe.
Less Severe Case + Example
Less Severe Cases: Fines can go up to 10 million pounds or 2% of the annual global turnover, whichever is higher. This includes violations related to administrative duties of data controllers and processors. Less severe cases often involve procedural or administrative oversights that, while important, do not directly harm individuals. Inadequate Retailer Record Keeping: A small online retailer fails to maintain proper records of its data processing activities, which is a requirement under GDPR for transparency and accountability. This oversight is considered a less severe case because it may not directly result in harm to data subjects, but it is a breach of administrative responsibilities.
Data Protection by Design (art 25)
Means that organizations must integrate data protection features and considerations into their products, services, and data processing activities from the very beginning of development, rather than as an addition. It's about considering privacy and data protection issues as part of the design and implementation process of any system, service, or product. (new social media platform)
Data Protection by Default (art 25)
Requires that the strictest privacy settings automatically apply once a customer acquires a new product or service, without requiring any manual changes to protect their data. It ensures that only the personal data necessary for each specific purpose is processed.
Security of Processing (art 32)
Security or Processing (Article 32) requires organizations (both data controllers and processors) to implement adequate security measures to protect personal data against risks like unauthorized access, accidental loss, destruction, or alteration. The measures must match the level of risk involved in data processing activities. (bank encryption example)
Special Category Data (art 9)
Special categories of data include information that is particularly sensitive, like racial or ethnic origins, political stances, religious beliefs, trade union membership, genetic data, biometric data (used for identifying a person), health data, and data related to one's sexual orientation/identity. As a general rule, processing these types of data is prohibited unless certain criteria are met.
GDPR Requirements for Notifying Data Subjects of a Breach
The controller must notify data subjects without undue delay if a personal data breach is likely to result in a high risk to their rights and freedoms.
Right to Erasure (art 17)
The right to erasure (right to be forgotten) gives individuals the power to ask organizations to delete their personal data under certain circumstances. (tinder example)
Pseudonymization (pronounced soo-doh-nomization)
Where data can't be attributed to a specific individual without additional information. This should also be used to protect data. Ex. In records, name not referred to, maybe Subject 100 instead.
Consent (art 4 and 7)
individuals must explicitly consent to the processing of their data. this must be clear and distinguishable.
