The protection of personal data is a fundamental right
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on
14 April 2016. Enforcement date: 25 May 2018
The EU General Data Protection Regulation (GDPR)
replaces the Data Protection Directive 95/46/EC
Goals:
harmonize data privacy laws across Europe
protect and empower all EU citizens data privacy
reshape the way organizations across the region approach data privacy
Who does the GDPR affect?
Organisations located within the EU
Organisations located outside of the EU, if they offer goods or services to, or monitor the behavior of EU data subjects.
All companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What are the penalties for non-compliance?
Not having sufficient customer consent to process data or violating the core of Privacy by Design concepts
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million
Tiered approach:
A company can be fined 2% for:
not having their records in order (article 28),
not notifying the supervising authority and
data subject about a breach
or not conducting impact assessment.
Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’,
that can be used to directly or indirectly identify the person.
It can be anything from
a name
a photo
an email address
bank details
posts on social networking websites
medical information
a computer IP address
Parental consent will be required to process the personal data of children under
the age of 16 for online services; member states
may legislate for a lower age of consent but this will not be below the age of 13.
data processor and a data controller
Data Controller: is the entity that determines the purposes, conditions and means of the processing of personal data
Data Processor: is an entity which processes personal data on behalf of the controller.
regulation and directive
Regulation: binding legislative act, must be applied in its entirety across the EU. GDPR is regulation.
Directive: legislative act that sets out a goal that all EU countries must achieve.
Data Protection Officer (DPO)
DPOs must be appointed in the case of:
public authorities
organizations that engage in large scale
systematic monitoring
processing of sensitive personal data (Art. 37)
Video Salesforce and GDPR
First 4 Steps to GDPR readiness
First 4 Steps to GDPR readiness - Video
What Salesforce is Doing regarding GDPR?
Salesforce welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for Salesforce to deepen our commitment to data protection.
Similar to existing legal requirements, compliance with the GDPR requires a
partnership between Salesforce and our customers in their use of our services.
Salesforce will comply with the GDPR in the delivery of our service to our customers.
We are also dedicated to helping our customers comply with the GDPR.
We have closely analyzed the requirements of the GDPR and are working to make enhancements to our products, contracts, and documentation
to help support Salesforce’s and our customers’ compliance with the GDPR.
Preparing for Compliance with the GDPR
Compliance with the GDPR requires a partnership
Salesforce customers cannot rely solely on Salesforce to make sure they’re in compliance with the GDPR.
Any organization subject to the GDPR can take steps to ensure it is compliant with the law:
Get Buy-in and Build Your Core Team:
Make sure that leadership is aware of the importance of compliance with the GDPR.
Achieving compliance requires organizations to commit substantial staff resources and financial investments.
Leader: to oversee the initiative and possibly serve as the data protection officer (DPO).
Each department in the company can appoint one or more point people
(from: information security, procurement, legal, human resources, product management, and marketing departments on the team that leads the compliance effort.)
Preparing for Compliance with the GDPR - contd.
Analyze the organization’s existing privacy and security efforts to identify the top areas of focus -
like where the organization stores personal data.
Build a data inventory that shows:
for each storage system, which type of data is stored there, where it came from, what it is used for, who has access to it, how it is secured, which third parties it is transferred to, and how long to keep it.
Identify all the third parties that the organization either receives personal data from, or transfers personal data to.
Create a register of data processing activities, and identify which activities pose high risks to data privacy.
For each high-risk activity, organizations can carry out a
data protection impact assessment to determine the actions
they need to take to ensure that they’re properly protecting individual privacy rights.
Establish Controls and Processes - Roadmap of necessary operational and technological changes
Privacy notices:
must be provided wherever personal data is collected, including through the use of website cookies and tags
Usage limitations:
Administrative or technological controls can be used to limit the organization’s use of data to the purposes for which it collected the data
Security:
Administrative, physical, and technological security measures are necessary to prevent
unauthorized access, use, modification, disclosure, or deletion of personal data.
Data subject rights:
Mechanisms and procedures are needed to manage
data subject consent preferences and
respond to complaints and requests for access, rectification, restriction, portability, and deletion.
Vendor management:
Organizations must have contracts with
affiliates, vendors, and other third parties that collect or receive personal data,
including standard contractual clauses or other mechanisms to legalize data transfers outside the EU.
Establish Controls and Processes - Roadmap of necessary operational and technological changes - contd.
Incident response:
Processes must be created to detect and respond to security breaches,
including remediating the breach and notifying all necessary parties.
Training: Employee and vendor training must be delivered to raise awareness
regarding privacy policies, processes, and requirements, as well as to report concerns and suspicious data activity
Assessments:
Data protection impact assessments must be conducted for each high risk data processing activity.
Documenting compliance efforts
Compile copies of:
privacy notices and consent forms
data inventory and register of data processing activities
written policies and procedures
training materials
internal company data transfer agreements
vendor contracts
Conduct periodic assessments or audits of the privacy program to ensure that everything is operating as planned.
