Key points of GDPR, v.

2
‘Personal data (PD)’ means any information relating to an identified ‘Controller’ means the natural or legal person, Material scope (art.2)
or identifiable natural person (‘data subject’); an identifiable natural public authority, agency or other body which, This Regulation applies to the processing of
person is one who can be identified, directly or indirectly, in particular alone or jointly with others, determines the personal data wholly or partly by automated
by reference to an identifier such as a name, an identification number, purposes and means of the processing of personal means and to the processing other than by
location data, an online identifier or to one or more factors specific to data; where the purposes and means of such automated means of personal data which
the physical, physiological, genetic, mental, economic, cultural or processing are determined by Union or Member form part of a filing system or are intended
social identity of that natural person. State law, the controller or the specific criteria for to form part of a filing system. +see
‘Consent’ of the data subject means any freely given, specific, its nomination may be provided for by Union or Exceptions
informed and unambiguous indication of the data subject's wishes by Member State law. Territorial scope (art.3)
which he or she, by a statement or by a clear affirmative action, ‘Processor’ means a natural or legal person, GDPR applies to the processing of personal
signifies agreement to the processing of personal data relating to him public authority, agency or other body which data of data subjects who are in the Union
or her. processes personal data on behalf of the by a controller or processor not established
‘Personal data breach’ means a breach of security leading to the controller. in the Union, where the processing
accidental or unlawful destruction, loss, alteration, unauthorised ‘Supervisory Authority (SA)’ means an activities are related to:
disclosure of, or access to, personal data transmitted, stored or independent public authority which is established • the offering of goods or services
otherwise processed. by a Member State. • the monitoring of their behaviour
Principles relating to processing (art.5) Lawfulness (art.6) Individual Rights
a) Lawfulness, fairness and transparency a) Consent 1. The right to be informed
b) Purpose limitation a) Contract 2. The right of access
c) Data minimisation b) Legal obligation 3. The right to rectification
d) Accuracy c) Vital interests 4. The right to erasure
e) Storage limitation d) Public interest 5. The right to restrict processing
f) Integrity and confidentiality e) Legitimate interests 6. The right to data portability
+The controller shall be responsible for, and be able to Fines (art.83) 7. The right to object
demonstrate compliance with them (‘accountability’) Each fines shall be effective, proportionate 8. Rights in relation to automated
Special categories of personal data (art.9): and dissuasive. decision making and profiling.
• genetic data Max fine: 20 000 000 EUR or 4% of the total
• racial or ethnic origin
• political opinions • biometric data worldwide annual turnover
• religious or philosophical beliefs • health Security of processing (art.32)
• trade union membership • sex life a) the pseudonymisation and encryption of personal data;
• sexual orientation b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
+ personal data relating to criminal convictions and offences (art.10) processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the
Vulnerable individuals include, among others, children, event of a physical or technical incident;
employees, patients, elderly people, asylum seekers. d) a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing.
Notification (art.13,14): Data breach notification
• The name and contact details of your organisation to the data subject (art.34) to the SA (art.33)
• The contact details of your data protection officer When the personal data breach is likely to result The controller shall without undue delay and,
• The purposes of the processing in a high risk to the rights and freedoms of natural where feasible, not later than 72 hours after
• The lawful basis for the processing persons, the controller shall communicate the having become aware of it, unless the
• The categories of personal data obtained personal data breach to the data subject without personal data breach is unlikely to result
• The recipients or categories of recipients of the personal data undue delay. in a risk to the rights and freedoms of
• The details of transfers of the personal data to any third countries The communication shall not be required if: natural persons.
or international organisations
a) the controller has implemented appropriate The notification:
• The retention periods for the personal data
technical and organisational protection a) describe the nature of the personal data
• The rights available to individuals in respect of the processing
measures (e.g., encryption) breach (the categories and approximate
• The right to withdraw consent
b) the controller has taken subsequent number)
• The right to lodge a complaint with a supervisory authority
measures which ensure that the high risk to b) communicate the name and contact
• The source of the personal data
the rights and freedoms of data subjects is details of the DPO
• The details of whether individuals are under a statutory or
no longer likely to materialise c) describe the likely consequences of the
contractual obligation to provide the personal data
c) it would involve disproportionate effort. personal data breach
• The details of the existence of automated decision-making,
d) describe the measures taken or
including profiling
proposed to be taken
Provide information in a way that is (art.12): concise, transparent,
intelligible, easily accessible, uses clear and plain language
Data protection impact assessment (DPIA, art.35) Data protection officer (art.37-39) Records of processing activities
A Data Protection Impact Assessment (DPIA) is a prior written Designation: (art.30)
assessment of the impact of the planned processing operations on a) Public authority or body (except for courts) That record shall contain all of the following
the protection of personal data. b) Regular and systematic monitoring of data information:
A DPIA is mandatory for data processing operations presenting high subjects on a large scale (core activities) • the name and contact details of the
risks to data subjects such as when two of the following criteria c) Processing on a large scale of special controller
apply: categories of data (core activities) • the purposes of the processing
1. Systematic evaluation/profiling If an organisation encounters problems relating • a description of the categories of data
2. Automated decision making to the protection of personal data, the SAs subjects and of the categories of
3. Systematic monitoring recommend the designation of a DPO even when personal data
4. Sensitive data processing it is not mandatory. • the categories of recipients (including
5. Large scale processing The primary role of the DPO is to ensure that recipients in third countries or
6. Match/combine datasets with different purposes her organisation processes the personal data in international organisations)
7. Vulnerable data subjects compliance with the applicable data protection • where applicable, transfers of personal
8. New technologies rules. data to a third country or an
9. Preventing people from exercising their rights or entering into a The DPO must be independent, an expert in international organization
service/contract data protection, adequately resourced, and • the envisaged time limits for erasure
What should a DPIA include? report to the highest management level. • a general description of the technical
• Description of the planned processing and its purposes and organisational security measures
The DPO is NOT responsible for the compliance.
• Necessity and proportionality assessment General tasks (art.39.1)
• Risk assessment to data subjects Exception for companies with fewer than
a) to inform and advise
• Measures to address the risks 250 employees
b) to monitor compliance (+awareness and
Prior consultation (art.36) training, assignment of responsibilities,
The controller shall consult the SA prior to processing where a DPIA audits)
indicates that the processing would result in a high risk in the c) to provide advice during DPIAs
absence of measures taken by the controller to mitigate the risk. d) to cooperate with the SA
e) to act as the contact point for the SA

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001. www.patreon.com/AndreyProzorov