Hello everyone. My name is Chris Stevens and I am the emphasis institute instructor for its information privacy essentials for cybersecurity professionals learning path. In this course we're going to talk about the european union's general data protection regulation has been so in pastoral census full enforcement date may 25th of 2018. Companies, organizations, institutions around the globe find themselves now having to comply with This impactful regulation because they want to gain access to the over 50 million European Union data subjects date personal data that they use for legitimate and lawful business purposes. You know our course objectives. We're going to talk about the GDPRS objectives, we'll talk about its responsibilities for data controllers, data processed responsibilities. We'll talk about the importance of article two the material scope, article three, the territorial scope. We'll talk about Article 30 which talked about record process and requirements. We'll talk about the all important Article six and its principles. We're going to talk about how the GDPR view, security and protection of protected personal data. We're talking about some of the lawfulness requirements. No GDPR unlike its predecessor, the European Union data protection directive has a data breach notification requirement. It also has provisions for when companies must gain the consent of the data subject for processing his or her personal information. Although the requirement by many european countries existed prior to the GDPR some companies themselves like Germany had already required that companies at a certain employee level and under certain conditions had to have what was is known as a data protection officers. So we're going to talk about that role. We'll talk about Article 27th requirement to have a legal representative. The GDPR such like other laws around the globe plays particular attention. When we're talking about protecting children. We'll talk about when it's appropriate to do data protection impact assessments. Many of you are familiar with the terms privacy threshold analysis which are like a preliminary, PIA and then the private impact assessment that we want to do to any new system, any new business practice when you were changing the law, a new definition of personal informatio. You want to do to identify those privacy risk before putting that system with that practice in operation so that you mitigate it to drive that inherent risk to residual risk. We're going to talk about those six legal bases under which an organization company institution that has to comply with the GDPR must meet from a lawful perspective. The GDPR puts a lot of emphasis also on to wear EU data subject data is exported outside of the european economic area and so of that recipient third part third country, fourth country hasn't been deemed adequate if you don't use one of the mechanisms. We have for transferring information or data from the personal data from the EU to these locations. Then again their restrictions in place. I can tell you with the invalidation of the European Union, the United States privacy shield framework arrangement. Again, it has impacted certain countries like the United States, particularly to where information itself or personal data can be exported from the EU to the US to US companies themselves under, unless you have certain conditions as stated by the european data protection board. And by the in its ruling, the court of justice of the EU, the GDPR expands the rights that were granted to EU data subjects under the old directive. And so it introduced this new rights of the data subject that must be respected. And then we're going to talk finally about what happens to you if you don't get it right, those administrative fines that are doubled and so we'll talk about those, hopefully buckle your seatbelts and get some popcorn and hopefully you're ready for a great ride. As we talked about another important topic to us as privacy professionals and cybersecurity professionals designed to learn more about information privacy and data protection. So let's talk about his objectives, the European Union part of the parliament, the European commission had began planning for the enactment of the GDPR right after it enacted its the directive in 1995 because it understood some of the shortcomings from the director were that. These were guiding principles is that the director that the European member nations were supposed to take back to their respective countries and then incorporate those into their national policies which in laws which did not happen. It happened unevenly, it caused a lot of angst for companies trying to operate in two more states. The GDPR applies not only to for profit companies but for nonprofits, so you talk about its impact is pretty astounding on these companies regardless of where they are around the globe. And so what I hope to do is it understood also, we had changes in the way that we collected and processed information. We had to be more cognizant of who we transferred EU data subject data to make sure that the appropriate security safeguards and other requirements. Now, the GDPR much like its predecessors, wanted to establish this baseline for how companies could legally and lawfully process personal data, but it didn't want it interrupt that flow of personal data across borders because it's important to the global economy. The GDPR much like many european data protection laws places the focus on the individual if you use privacy and data protection as a fundamental human right. The GDPR since 2018 has impacted other laws around the globe. Data protection laws, privacy laws, we've seen many countries now either men or enact data protection laws, privacy laws similar to the GDPR especially if they've been deemed adequate, I'll talk about that term later. And it says also that again, when you look at the GDPR Itself, it just wants to make sure that it provides the appropriate protections to those natural persons. Now, we talked about the natural person, we're talking about someone living and breathing. The GDPR doesn't necessarily extend rights. It does not extend rights to the deceased. Let's talk about the material scope, Article two. Now, if you read what's on the screen, it says, it applies to the processing of personal data wholly or partly by automated means and to the processing other than automated means of personal data, which formed part of the following system were attended. They form part of the following system. What does that mean in plain speak? It means that if you're collecting EU data subject data where you use an automated means to do it or a partially automated means even the manual means and you're collecting information and storing in a filing system. For those you were going to talk about it later. When we talk about the Privacy Act in 1974 in the United States and how it protects records that contain personal information of individuals. Well, when we think about Article 2, we're talking about those databases, those excel spreadsheets, other types of media in which you collected this your data subject data and you're storing it in that process. You may find yourself having to apply with the material scope Article 2. But there are some provisions, national security falls outside of the GDPR scope. Border asylum, immigration law enforcement falls outside of the Article 2 scope. If you're a person and you're just for your own personal means or collecting and maintaining your own household directory. Then again, that's also not covered under the material scope. Article 3 is extremely important. It has 3 criterion. And what an establishment says this is the extra territorial component of the GDPR. When we talk about Article 3, 1, it simply says that if you are a data controller, the person making decisions on how this personal data is processed or data processor. The entity that's processing this personal information legally and contractually obligated by the controller. And so what 3, 1 says is that if you are physically established in the EU and your process and EU data subject data, you got to comply with the territorial scope. The all impactful Article 3, 2 is the one that says that not only is it impacting those processors and controllers that are physically located within, the European Union or the European Economic Area. It also looks at those controllers and processors that are not physically located in the EU and again, we're talking about respective if you're offering goods and service, whether there's actual payment that takes place. And you're processing the personal data of EU data subjects, physically located in the EU, regardless of where the processing takes place, then you have to comply with the GDPR Article 3. Another area of focus where Article 3, 2 is looking at the use of certain techniques and capabilities to monitor the online behavior of EU data subjects status. Subjects physically located in the EU. And so what that means is it doesn't expand if I'm just a person that happens to go to a company's website, I peruse the website. Then again, I will not fall, may not fall in the territorial scope Article 3, 2. But if that website is designed as it is in the host nation language is collecting currency and the host nation currency is using targeted advertising to target specific your data subjects. Then again you fall under 3, 2. We also have Article 3, 3 which simply says that if you're in a place that still falls under the sovereignty of a European Union country namely those embassies and consulates those flagships at sea, then you also have to comply with the GDPRs Article 3. Let's talk about Article 5. I stated earlier that the principles were in Article 6 still in Article 5. They're extremely important because they defined for organizations, companies and institutions whether you are a for profit or a nonprofit. Company itself or entity on these guiding principles which you need to comply and this is where you need to build your corporate policies, procedures, guidelines and standards to ensure that you are compliant with these principle. Now when you look at the first or lawfulness, fairness and transparency that simply says that you want to process into your data subject's data lawfully in accordance with the GDPR and applicable, laws. It has to be fair, you can't be coercing data subjects to provide their personal information employees because the GDPR does extend protection to employees and you should be open in how you process this personal data. You should have to be accurate. We want to ensure that the personal data that we're processing is accurate relevant and timely. So we're not creating these privacy harms or invasions for these EU data sets. We don't want to state the purpose. We just want to make sure that we limit the processing of this personal data to that stated purpose. They were not using this information for other than agreed upon purposes without the consent of that data subject. You only want to retain this personal information for as long as you have data, for as long as you have a legal or lawful business purpose. And then after the end of that purpose where the law no longer requires you to maintain this personal data, you're supposed to get rid of it. The thought that you can retain an individual's personal data and perpetuity no longer exists. And regulators will look at you with a jaundiced eye if that's your approach to data protection or information privacy. Data minimization, simply put you only collect what you need for that legal or lawful purpose. You don't over collect as you've known. If you've read many articles across the globe and not just applicable to the GDPR. When you're over collecting information, there's a greater chance that if you breach, you're going to impact more individuals because you've over collected that information. Integrity and confidentiality extremely important. If you're collecting a EU data subjects personal data, you want to make sure that you're maintaining the confidentiality on a need to know basis. You want to make sure that information is unaltered and or process without, they're appropriate consent. Counter Beverly is huge. Under the old director of really the onus was placed on the data controller because it made decisions on how EU data subject data personal data is processed. That was one of the many shortfalls of the old director, but under the GDPR. It sought to correct and so now it also holds processors accountable at certain levels. Let's talk about the lawfulness of processing. This talked about the legal basis under which an organization that has to comply with the GDPR must meet. He wants to meet one of these. At least one of these, consent is huge. Although, regardless of the law, we're talking about consent is the most ethical means of establishing the lawfulness of processing. Because it's easily as his granted, it could be taken away by that data subject. It's supposed to be freely given not coerced, and it should allow the data subject ability to withdraw. That consent using the same medium in which it was granted. Contractual obligation, if you've got a contract that obligates you to process this information and it's lawfully written, then again you comply. If you have a legal obligation, if the law says or some law says that you have to process this information on these conditions. Vital interests, we're talking about in that case, if someone is incapacitated, you're doing this to sustain life, then again any information can be processed in the public interest. Now we talk about, we've got examples today looking at COVID-19, some of these endemic pandemic cases. If we talk about just the government itself, census data, things along those lines, then that information is a lawful purpose for processing of that data and finally legitimate interests. Companies have to be very careful when they claim legitimate interests because they have to ensure that their legitimate interests don't supersede those or override those of the data set. And so they have to do this balance test. They have to look at the legitimate interests, they need to share that again, it was in the confines of the GDPR. That you're not disenfranchising data subjects for your own legitimate per your own business purposes. And do that balance test to balance the need to process this information against the need to protect the rights and freedoms of individuals with data subject. Let's talk about Article seven. Let's delve more into this discussion of can't and consent. We've seen companies themselves like Google ran afoul of the French supervisory authority. Supervisor authority used to be referred to as data protection authorities. They're responsible for enforcing the GDPR and other European data protection laws. They're also there to advise and consult with data controllers, data processors, tend to sure that they're compliant with the law. And so what the GDPR did was it really strengthened enforcement oversight, consultation abilities of the supervisor authorities. But in the case of google Google's privacy notice and it's practice for consent where he tried to bundle consent. What do I mean by bundle? I mean, it had tried to include a number of privacy provision that protects provisions under one consent requirement. The French supervisor authority Cameel said not so fast, my friend, had a poorly written privacy notice and so it was fined a tune of $57 million, €50 million. It appealed the decision. It was uphill. So we need to be and particularly careful when we're talking about consent and I need to be executed by the data center. There's got to be clear and conspicuous, it needs to be written at the level of the utterance. You can't use a lot of legal leaves. Just use clear and plain language. You got to give me the right as a data subject to withdraw that consent as easily as I granted it. We talked about the withdrawal consent. It shouldn't affect the lawfulness of processing based on consent. So again, just because again, I'm withdrawing my consent, you know, that should be held against the data subject unless it's required by law. And then prior to me giving consent, you gotta tell me again that the mechanisms by which I can withdraw my consent. Let's talk about special categories of data. Article nine, important. If you look at European history, we've seen that there have been instances where European countries have used access to you data subject data to really disenfranchised target elements of their society. We saw this and Spain during the Spanish war. We saw this during World War II. The use of population data and the old former Soviet Union to target. We saw this in Nazi Germany when again, access to population data subject data allowed them to target a segment of society, several segments of society. We saw this being used against in the 60s and the 70's by autocratic governments to target members of trade unions. And so this requirement, if you're going to process special categories of data, we're talking about a higher level of protection of that data. Because of the significant rail started poses to the end of the data subjects associated with his personal data. So we got to protect if it deals with racial or ethnic origin, your political opinions. Your religious or philosophical beliefs, union membership. We're talking about genetic information data, biometric data if it's used to specifically identify you as a natural person. Any information that talks about your sexual life, sexual orientation or health. I mean, also that falls under this category is also information of attorneys of criminal offenses. That too is protected under special categories of data. When we talk about criminal convictions and offenses, we can expand that the article 10. And what it does is it gives us protection to an individual's or EU data substance data that's related to some criminal conviction or criminal investigation. The GDPR says is that this information is supposed to be protected by that judicial authority. And it's not supposed to be released outside of that. What the European Union did, and many people aren't cognizant of this is at the same time in 2016, it enacted the GDPR 2018 fully enforced. It also enacted what's called a law enforcement data protection directive which is supposed to harmonize law enforcement practices. Especially when it talked about using an EU data subject's personal information for criminal offenses, criminal investigations. Let's talk about the rights of the data subject. Like I said before, under the old directive, several of these rights existed. But what the GDP are sought to do is really strengthen the protections of individuals, that EU data subjects. I've used that term many times and I'm talking about the EU data subject. We're not just talking about individuals based on their sentences. We're talking about individuals that are physically in the GDPR in the European Union that are protected. And so I could be a US citizen on vacation in Europe itself and still be protected under the GDPR. A good friend of mine said, tried to simplify this, and he said, hey, think about like this. If I'm a French citizen and I'm driving in the US and I violate a traffic law, do I still have to comply with French driving laws or do I have to comply with US driving laws? Why'd you comply with the US driving laws? If I'm a US citizen and I'm in the EU And there's a breach of my personal data or of the other protections in the EU and my protection of the US Law or under the GDPR. There would be the GDPR. These rights are important. Now we're starting to see around the globe where other countries are starting to look at and providing these type of rights, individual rights and freedoms to their citizens which are individuals. Because again they understand the importance of protecting their personal data at all times from the time it's collected is used as disclosed is retained and its disposal. We have an obligation to show due diligence and due care and that's what these laws are trying to do. And then in providing these rights, they're also enforceable. So if you are a company, an organization that violates these laws, you can expect to see some type of administrative penalty regardless of your size. When we talk about Article 15 we're talking about hey I got a right to access my information, submit a request. If it's a verifiable quest, you've got 30 days to respond to that. If you need more time you can respect a request an extension after additional 60 days, you have to give me an accounting of what information is there. Article 16 says that once I'm there then if I think the information is wrong, then again I have a right to have that information correct. The right to erasure, the right be forgotten Article 17 existed before the GDPR. But it's an important, right because what it says is if you are a controller the entity making decisions on how EU data subject data's process. And I believe for one reason or another that that information is no longer valid, it's no longer obsolete is obsolete. Then I can make a request to have that information was race and not only from your active networks but also your backup. And so we talked about right to be forgotten, that's an extension. So those data processors, those entities out there that are processing that individual's personal information on the behalf of that data controller, they too must go back and erase that information. Right to restriction of processing Article 18 simply says that shorter having information completely erased. You can call really a time out and have restrict processing. Especially if you have a dispute between the data subject and the controller. And so they can take that time. You can take the personal information. You can temporarily stop processing it, you can take it offline, you can put it on a separate server. So to make it inaccessible for that temporary period of time. And then once it's resolved, if you want to resume processing that personal information, you must notify the data subject that that is your plan and get his consent. Yes or her consent for the continued processing that information. We talked about Article 19. That's just again talking about notification obligations regarding the correction or racial personal information restriction and process. He got kale the data subject let them know what the decision is. If there's a decision not to do so. Then again there's continued discussion with the depth. Right to data portability as a new one Article 20, what it says is I as an EU data subjects have the right to have my personal data moved from one controller to another controller. This really looks at interoperability systems. Although the GDPR doesn't mandate that the hope in the future as we will have these interoperable systems to seamlessly make those transitions. That controller can give my data to me and I could sneaker it over to the new controller. They can give it to a trusted third party or if they have their inoperable systems they can transfer. There are other conditions in place that determine you have to meet certain qualifications. You possibly have to transfer the information. And the machine readable can be reread on the computer. Machine readable format. When we talk about the right to object, that's your right to object to the processing your personal information. You may have agreed to the use and processing of your personal information under one of those six legal basis that we talked about. And then the company or institution wants to process it for a different reason. This is not an absolute right where again no information is being processed or research statistical purposes or other purposes. There is one absolute right under the right to object and you have the right to object on the GDPR to having receiving direct marketing and advertising. Right to object the automated individual decision making including profile. We're saying that not even written into laws like in California here in the United States where under the new California privacy rights Act of 2020, this right has been incorporated in. Simply what Article 22 says is, hey if you're using automated systems themselves, fuzzy logic AI others to make decisions that might impact the data subject an individual. That before that decision is made final you should have some human intervened. So we're not disenfranchising individuals for employment for benefits. And so again it wants to do that. Human review of that decision to make sure it's been done fairly. Like I said before the GDPRs enactment, the onus fell squarely on the shoulders of that controller. The only way that controller could obligate data processes to comply with it's data protection requirements just to use a contract. And so contractually legally bind them to have, maintaining the confidentiality of the EU data subjects data have their appropriate security controls in place to protect that information. Controllers have to meet a lot of conditions. They've got to make sure that when their problem before they start processing the data you do the assessment, you identify the risk associated with that processing. You need to make sure that again, you balance the need to process that personal data against the need to protect the rights and freedoms of these datasets. They talk about technical and organizational measures, really we're talking about other language that you might be familiar with are those administrative, physical and technical safeguards. To make sure you have the appropriate controls and countermeasures in place to make you have you have Indian security when you're processing a data subject data. As cyber security experts, information security experts, we have to work very closely with our privacy counterparts or other functional admission and business counterparts and make sure that again, we're conducting those security assessments. Many of these have here and there following when those requirements that require you to do as a security assessment and authorization before. An information system, information and communications technology system is allowed to process personal information, personal data. And so we need to make sure given the costs associated with the scope of the process and size of the company things on those lines that your processes information In compliance with the GDPR. And just like anything else, this is an evergreen process. It doesn't just stop the first time you do it periodically you have to go back and reassess your processing activities. Just make sure they still comply with the GDPR. I'm a big proponent of data protection by design really of privacy by design, that was a concept that was espoused by doctor and Catwalk Iain in Canada. And simply what she says is when we're looking at developing these IT systems, these services. Then in the conceptual phase of the of the development that we need to start thinking data protection and privacy. We need to do our assessments, we need to identify what those privacy risk are, we need to go and try to mitigate those inherent risks. Drive those down to the lowest level possible by using controls and safeguards. Design those into the system because when we have privacy by design or data protection by design, you also have data protection by default. Which follows on that once that system is an operation that it does, data minimization. It looks at the necessity of the processing, it does proportionate collection of information. It limits who can have access to that personal data, how long you retain it. Unbeknownst to the system owner, business mission owner, the data subject. It just does those things throughout the lifetime or life cycle of that product or service. The game changer was this concept came into being in the 1990s, it was the GDPR that made it mandatory, made it legally binding. That companies organizations, institutions have to comply with the GDPR. Now I have to demonstrate how they've incorporated probably data protected by design. And to their designs of information systems, their business mission practices themselves. But there are things you got to consider. Now the original privacy about design had seven components. When we talk about complying with Article 25, you got to look at again, what is the state of the yard? What is the state of this technology, the processing how much does it cost you? Because cost is also a major driver when we're talking about implementing new processes, laying out. Again the nature, scope and context and purposes of the processing the legal basis, while you're collecting it using and disclosing it, retaining it and disposing of it. What are those risk associated? I'm a big risk guy, I believe that we should always consider risk any time that we're processing personal data, personal information, personal identified information. However, the term is defined jurisdictions. And so I think you need to go back and do a risk assessment to determine what is the level of potential harm or the privacy invasion. That you might create for that data subject of the individual and then always coming back and this is where the GDPR is nuanced. Making sure that you're always considering the rights and freedoms of those individuals that might be impacted by your process. It also says that the controller has to make that determination the process and there are other things you got to do. You got to protect it, you got to use things like encryption, sydenhamization if you're unfamiliar with the term. Some using terms and substitute that for the original data subject's personal information values exposed using that to obscure that information. Which is not needed for transactional purpose and then when it's needed, you're going to make use of it or or expose that data for that transactional purpose. You're going to maintain two separate tables or repositories, one with the original values, one with your alias values. When you think about pseudonymously think about it for those of you that saw the movie Top Gun. Now all the pilots have these aliases and aliases referred to the person, they didn't necessarily use their name. It was just a term used to really identify that person to give a level of separation between the original values and this sodomized data. You got to go back and look at those principles and we talked about in Article five and incorporate those into your data protection by design. We're starting to see companies around the globe that have to comply with the GDPR actually advertise that our products or services. Our data protection by design compliance, to give the consumer an additional level of comfort Knowing that these systems are going to protect my personal information. You got to do data minimization, you gotta talk about lawfulness, fairness and transparency. You got to make sure that you keep these safeguards incorporate those processes because at the end of the day, what we want to do is we still want to stay in business. We just want to understand business, achieve profit maximization by respecting the rights and freedoms of those data subjects. Article 25 is an extension like they're talking about data that takes about to fall. Says that once you've gone through that hard work of conceptually designing in data protection by privacy. That again when you go back data protection by default says something that now once that system that processes in place. That again is going to have those controls that allow it to protect data and and consistent with the GDPR. Now again, [COUGH] Article 28 is important because remember I said before, the narrowing of GDPR really the owners was placed on those data control. When we talk about data protection about design, data protection by default still the responsibility falls on the controller. But again the process is supposed to aid the controller in satisfying those condition. This article 28 and has that requirement for a data processing agreement. A contractually binding agreement between that controller and that process and that defines exactly what that process is supposed to do under the GDPR. This also extends the sub processes, and so what article 28 says hey processor, if you're going to go out and enlist the aid of contractual. You first of all, you gotta do it contractually unless the aid of a sub processor or a subcontractor to process this personal data on the behalf of you. Then again you have to notify the controller first to get its approval before you do so. Simply put when we talk about Article 28 and says hey controller, you can't go out and get data processes that you don't have a history of violating. EU data protection laws, they're breaching information all the time, they're violating the rights and freedoms of individuals. You got to make sure that they are compliant with the GPRS prevention. You too have to respect the rights and freedoms of the EU data section. It also says if you are a processor like I said and this is a key point, don't go out and contract the services episode processor without telling me as a controller. And then you got to make sure that if there are any changes to the way in which you're going to process information because that processor has a DPA. A data processing agreement with that controller that needs to be mirrored and captured in the data processing agreement between the processor and the sub processor. Everybody's held accountable. So, once you sign that data processing agreement all tears of that processing chain have to be compliant with the GDPR. And processors are going to be if you go out and don't have proper oversight of those sub processors and there are violating the GDPR. Well you better believe you're going to be in violation of the GDPR. Again, we talked about the data processing agreement, and it's going to be between that controller and the processor. The processor and sub processes that legally binds these parties themselves to make sure that again they're competently processing personal information. It's going to talk about how long the process is going to take place, the type of processing, the legal basis in which you're doing the processing. What type of personal data are we talking about? What type of data subject are we talking about? We're talking about Children. Are we talking about other data subject data. You got to make sure that again it also states clearly for that process or what are those obligations and rights of the controlling? These are legally binding documents, instruments by contract says, hey don't change the rules processor because if you change the rules of the agreement then you in fact have become a controller. Only processes information that you were contractually obligated to do, make sure that you maintain the confidentiality. I use that lot word a lot as a former intelligence officer because it means you should only have a need to know access to that data. You got to make sure that any processing that's done by that data process is done in compliance with GDPR, other applicable laws themselves and in compliance with the data processing agreement. Workers are processing activities. Now before the GDPRs enactment under the old directive, you had an onerous process to where controllers themselves had to contact the data protection authorities. Let them know, registered with the data protection or authorities get their permission to do processing. Well, the GDPR are pretty much stream like that from an accountability stamp. So now companies institutes and organizations have to comply with the GDPR have to maintain these records of processing it. Controllers and processors have to do it. Now if you have 250 employees or more, you're supposed to maintain these Article 30 records of processing activities. If you're processing that risky data like we talked about special categories of data, then the number goes out the window. You should still have to maintain these records and processing activity. And when you look at those records, Article 30 records it's gotta tell to have the contact no information and the name of the controller, any joint controllers, the controller is legal representative. If there's one and the data protection officer, they got to state the purpose of the processing. Why are you processing this information? What is the legal basis? What categories of data subjects does this process and impact? What categories of personal data? To whom you're going to disclose this information? Especially if they're in countries that have been deemed inadequate that are located in or during the process in the third countries. Or if you're talking about even international organizations you gotta talk about again when applicable. When you're transferring that personal data to a third country, that organization to include the identification of that third country international organization. What the GDPR says is especially when we talk about transferring EU data subject data to a country that's not been deemed adequate. That again you're supposed to notify that data subject and get his or her consent. Now I've used the term adequate many times. When we look at this term, it's the European commission that determines whether an international organization or a third country has been designated as adequate and it's pretty detailed process. It looks at your history, your data protection laws, looks at your data protection practices, whether that country has a respect for the rule of law, human rights. Whether I as a data subject in those countries themselves have a right to have redressed under the law and the court system. And so what the European commission does is it looks at that country every four years, that international organization to make a determination if it is at. If so, then it can process information just like it was one of those 27 European Union countries, the UK, the United Kingdom or countries that are part of the European economic area, Iceland, Liechtenstein and Norway. But it's a small list. You talk about those 27 countries now after breakfast, the Europeans, the union has finally said that the UK can maintain its adequacy status. We're talking about the other man grooms me, internationally we're talking about Argentina Canada and Uruguay, we're talking about Israel very short list. Japan is on the list now. I can tell you he's not on the list, the US because of our national security and law enforcement practices that have been deemed inadequate. You have to go back and talk about when you're going to get rid of this information, the retention aspects of disposal aspects and then you also have to talk about security, those technical and organizational security measures. For many of you working as cyber security professionals, you might use the terms administrative, physical and technical control or safeguards. You got to protect the data. Again, we've seen around the globe to many times that again we have data breaches that are occurring because companies don't implement the appropriate security safeguards. If you go back and look recently at some of these countries that have been a target or companies. My apologies. There have been a target of ransomware attacks. It always goes back to internal practices, security practices, solar winds, JBs meatpacking company, colonial pipeline to name and others. The 15,000 companies that were impacted the largest ransomware attack ever. If you go back and look at it many times is associated with companies themselves and institutions that have poor security practice. Well, the GDPR says not so fast, my friend, and that's what Article 32 says from a security standpoint, you've got to consider How you're processing this information. What does it cost to implement security? What are their risk associated? What type of processing activities are you engaging in? Now, what are the results of that risk assessment? How are you mitigating those? Are you using capabilities like encryption and adonization to protect personal information? Are you able throughout that processing activity to maintain the confidentiality integrity availability and the resilience processing systems and services that are processing personal information? How can you, when we talk about the ability to restore the availability and access to personal data, how if you have a business disruption of your processing activities? How can you quickly and this ties into those you are familiar with these terms business continuity, disaster recovery? How quickly can you return operations? RTO, which really applies to your ability given your maximum accepted outage parameters. How long does it take you to resume normal operations? We'll look at those when we look at business activities or the information systems themselves. Now if we're talking about a return to processing restore process point objectives. We're talking RPO we're talking about how long does it take you to regain access to that data because time is money before you have some type of impact whether it be physical or technical. And then when you talk about security processing, are you doing those things to test validate and verify that your security practices are working? Doing continuous monitoring, making sure that you're continuously assessing and then reporting when you have an antithesis to ensure that your controls and countermeasures that you put in place are working as intended. Article 33 is extremely important because what it says is it says that for the first time at the super national level, the European union level, that if you are a company or organization institution and you find that you have a data breach you gotta report. Now I like this slide it streamlines this process. If it happens at the third party site, the data processor site it has to notify that control or immediately. It's a controller that's the center point of notification between the controller and supervisor authorities. The control are ineffective individuals. That controller has to do so without undue delay or within 72 hours becoming aware of the data breach. It has to notify the supervisory authority. If it determines that there is a high risk that might violate the individual rights and freedoms of individuals because it might involve the processing of special categories of data, other sensitive data, then you also have to notify those effective parties themselves. What do you got to tell them? Now if you have mechanism planes that would mitigate the impact of a data breach then you may not have to do notification. It's likely unlikely to result in the rest of the rights and freedoms of individuals. Then again you may not have to do notification. But if you don't meet that provision then you gotta tell them the type of breach, the number of people impacted, the number of records are impacted. You gotta give them the point of contact information for your data protection officer or any other important data controller, data processor individuals so that they could be contacted. You gotta tell them the nature and scope of the breach. And then you gotta tell them what you've done short term and long term to address that breach to mitigate the impact not only on the affected persons but even on the organization. This is the article 34 that says that and it's key. I want you to remember article 33 and article 34 because this is where we see companies running a file. If you look at the the British airways breach,, they were fined significantly because they didn't notify within those without undue delay within 72 hours. When we're talking about high risk to individuals, their rights and freedoms these data subjects. Namely if we're talking about there was a breach of special categories of data, some type of sense of data that you can't mitigate through your practices, then you got to notify them without undue delay. You gotta tell them the scope of the breach, you gotta just be simple in your delivery and your notification right to the level of the audience. Now, you don't have to notify if you have already put in place the appropriate technical and organizational safeguards controls, administrative, physical and technical safeguards that when you've applied those the chance and risk to these individuals is minimal. Or that if you use processes like encryption to render that information unusable unreadable, then again it doesn't require notification but you have to document that. If you've taken steps like it says in the second sub bullet to ensure that high risk to the rights and freedoms of data subjects no likely to materialize. Like if you have a robust incident response team and strategy in place or if you requires a disproportionate effort to notify each of those individuals individually. Then again you can turn to the media and other means of substitute notification and notify that data center. Let's talk about Article 35. Like I said I'm big on assessments, risk assessments. The DPA is more nearly focused than those of you that might be familiar with the describes the impact assessment. The premise behind those is again controllers do these data protection Impact assessment DPIs with the assistance of the processer. But the DPI much like we talked about generally with the PIA, private impact assessment. If you're going to introduce a new technology that's going to process you data subject data, when you go and look at your processing activities, they might pose some type of significant risk. High risk to the rights and freedoms of individuals do a DPIA. It's my practice, if it's cost effective you should do ADPIA or a PIA to as part of your routine practices to con consistently and constantly assess risk in your processing activity. You should look at these DPIs like I said if you have large scale processing EU data subject data or you're doing profiling of data subjects. If you're engaging in risky practices like using surveillance of public areas. If you're processing special categories of data, highly rescue data. If you're processing you know criminal offenses and criminal investigatory information, you should do A D P I before you engage in those practices. You're going to involve the Dallas subject when applicable, your data D P O data protection officer. It will be a part of this process really trying to identify how you might mitigate that risk. And then when you've done all of those you've replied those control safeguards. If you can't mitigate that high risk then you got to consult with the supervisor authority, and that supervisor authority has within eight weeks to get back to you with advice and it can request an extension of an additional six weeks to do so. And pretty much what it does is it's a detailed assessment of your processing activity. It looks at it from the legal basis of which you're processing this information. The type of data, its sensitivity how are you processing that information to see that you know, if you're going to have some type of adverse impact on that natural person, I'm a bit disappointed with that. When you look at your D P A. And like for those of you familiar with the P I A. You know depending on the government agency or your own internal requirements. They may vary. But when we're talking about the D P I A. The G D P R is pretty explicit. You got to define in detail what are your processing activities. What's the legitimate basis while you're processing information and if you're claiming your legitimate interests. You got to define what that legitimate interest is. You gotta talk about keywords like necessity, do you need to process this information in this manner and we're talking about high risk personal data and are you processing activities proportionate to again that need, I'm big on risk. I'll continue to say that assessing the risk that might be impactful to the data subject that might impact his or her rights and freedoms, they might create a privacy harm or privacy invasion. Look at how you try to mitigate that risk. What are those administrative, physical technical safeguards, technical and organizational safeguards you put in place, ensure you have indian protection of that personal data throughout the information lifecycle. The data governance cycle to make sure that you're compliant with the G D P R S request on your requirements that you protect the rights and freedoms of individual or data subject. No data protection officers designation. You know, for those that hadn't worked in europe, you know, you would have found that certain countries are really required Data protection officers. There's always the question, do I need one? Because the G D P R doesn't say that everyone has to have one. It does say that if you are a processor or controller or processor you should have one. If you meet these conditions? If you are a government entity, a public authority that's not a part of the judicial judicial system acting in your judicial capacity, if your key core activities of that controller and processor that you know as it applies to data subjects impact you know, data subject on a large scale. If you're processing special categories of data on a large and regular product system and you're talking about criminal convictions, criminal offenses, then you should have a DPL. Now, you know, based on that you can have one D P O or depending on the size organization, you can have several D P O S. You know, you can have a DPL that you can have it. That entity, be part of your core employees or staff or you can, you know, contract the services of a confident 3rd party to do so for you. You know, you have to make sure that you know when you think of the DPL, these D P O S have a lot of requirements. And I've been reading across the globe where in some like in South Korea I saw A D P L. Go to jail because his company failed to comply with, you know South korean data protection requirement. No, I haven't seen that in the G D P R yet. But again, these D P O S are under great scrutiny. They have to be experts in european data protection law namely the G D P R. You have to be risk managers, they have to be able to consult with data controllers. Data processors, you have to be able to interact closely with supervisor authorities, you have to be able to respond to disputes and complaints by data subjects. It's a full time job. Now the organization also has requirements, you can't put these D P O S and positions that create conflicts of interest. Don't make your C I O the D P O. You got a resource, the D P O S. I've been reading a lot of articles were across europe. What we're finding is is that many of these D P O S are under resourced. I was watching a a webinar hosted by the I P P where they had a D P O. One of the requirements like in journey was that individual had to be an attorney. That's not may not be consistent across europe. But then again you just need to look at those applicable national laws is that they apply to the requirement. You know, the DPL supposed to have unfiltered access to the senior leadership so it can advise it on, you know, data protection requirements, you can't fire that GPO just because he or she is bringing you bad news that they're doing their job. You know, as designed. There you go. There's a great slide, that just says everything I said you can't use influence to change the, you know, the results of the assessment that GPO no conflicts of interest report to the highest levels of management got to be accessible to that data subjects. Should they have questions about the data protection, practices or complaints, you've got to maintain confidentiality when you're dealing with, you know, these data processing practices work closely with supervisor authorities, especially when we're talking about data breach and be fully resourced. These are some of the task in Article 39. This slide isn't all inclusive. You know, we're finding the evolution of these tasks. The D P O S requirements are expanding, you know, because again, companies know that again to be non compliant with the G D P R causes pain and I equate noncompliance to pain. Something we talk about those tasks is to find in the article 39 we're talking about main ensuring that, you know, our controllers are controllers and processors are compliant with the G D P R. And other applicable EU all right Data protection regulations namely the european e privacy directive. That's quick. That's moving towards becoming a regulation, making sure that you're engaging with supervised authorities. Not when times are bad only, but for consultation purposes. Like we saw when we talked about the D P I A. if you can't mitigate that risk you gotta talk to the supervisor authority. Advising organizations on how to do those article 30 records of processing activities, how to respond to data breaches. Advising and consulting with employees of the organization, controllers and processors. Article 44 is extremely important. The GDPR are really focusing on who are you sharing your data subject data with, especially if it's outside the borders of the EU or the European Economic Area. We talked about adequacy, it's extremely important, that's the gold standard. So if you've been designated as being adequate, then you can receive and share data subject data as if you were a European Union country or an EEA country. But most of the countries around the world, and we'd love to talk about that list of 195 countries as identified by the UN don't make this list. So we have to have other mechanisms by which you can transfer data. Binding corporate rules have been around for almost two decades, or around that point. Really what they say is if you're a joint venture or a corporate entity, you're going to draft these binding corporate rules based on the GDPR's principles. Because you just can't, say for instance you're a Google parent company and you've been authorized to receive and process EU data subject data. You can't just necessarily transfer that information or data to a geographical location into which they don't have the appropriate data protection privacy rules. So it wouldn't be approved to be able to just provide Google China or Google Russia with access to that information, so use these binding corporate rules. And what those binding corporate rules say is that this corporate entity, this joint venture, is going to comply with these rules as identified in the GDPR. Supervisor authorities are going to approve it, and then once they approve your BCRs then again you can share that information appropriately as long as you're consistent with the GDPR's principles and the GDPR itself. Article 46 says you gotta have the appropriate security safeguards in place. You also have to give notice to individuals if you're going to be transferring their information to other than adequate countries or international organizations. It talks about international cooperation for the protection of personal data, meaning that you're working with these entities themselves and make sure that they're compliant with the GDPR's provisions. Now, just like any law, you have areas in the GDPR that defer to EU member state or country-specific laws. And so you've got situations that may require you to do the ad hoc transfer of this data, there's some urgency there. And so again the two or more parties themselves draft a contract, get it approved by the supervisory authority. There are other derogations in there that deal with. And again that's one of the reasons why we have now the law enforcement got a protection directive to really streamline that process. When we talked about the sharing of criminal investigatory information offenses information. We've had processes in place like the from a law enforcement perspective the mutual legal assistance treaty. When I worked at the FBI this was one of the mechanisms that was used to be able to transfer EU data subject data as it pertained to a criminal investigation so that it was done within the confines of local European Union data protection laws. There are administrative fines, really they're significant. I just read an article, I think it was like two weeks ago, maybe last week, that talked about how now we're seeing an increase in the enforcement of the GDPR and the fines are becoming more significant. So what do I mean when I talk about administrative fines? If you're in violation of the GDPR, if you're just in violation of its routine and its principles themselves, your obligations as a controller or a processor. The determination is that you can be fined as much as 2% of your global turnover, or annual revenues, or as much as 10 million euros. I say again, 10 million euros per violation, whichever one is higher. If you find yourself not compliant with a supervisory authority's consent order, if you're violating the individual rights and freedoms of individuals, then you could be fined as much as 4% of your annual global turnover or revenues, or as much as 20 million euros per infraction, whichever one is higher. The higher limits of what Google had to pay because of its violation of the GDPR which led to that 50 million euro fine. And so there are certain things that the supervisory authorities aren't going to automatically just jump to the higher levels of these fines, they're going to consider things. Things that will get you in trouble is if you violate the consent requirements, that's where Google got in trouble. If you're violating data subject rights, if you're sending information to a third country or international organization without consent. If you're not satisfying things like we talked about, and this is outside the scope, if you're in violation of Member State law, national security, law enforcement, collective security, and other types of requirements that are at the EU level or at the national level of these respective countries. If you're not compliant with a supervisory authority's consent orders, you may find yourself getting hammered at the higher levels of the 20 million euro or 4% of your annual global turnover. So let's summarize what we talked about. First of all, regardless wherever you are around the globe, whether you have to comply with the GDPR or not, you should be familiar with it. For those companies that are practicing in the United States, the GDPR has showed up at our door in different formats. Because the United States lacks that overarching data protection law, information privacy law, it's US states are moving out and passing pretty comprehensive data protection laws that are similar to the GDPR In certain facets. We've talked about the California Consumer Privacy Act, we're going to talk about that later in the course, of 2018. We're going to talk about the Consumer Privacy Rights Act of 2020. Virginia just enacted its Consumer Data Protection Act of 2021, as well as now Colorado just recently did so with Colorado Protection Act. And we're going to see different aspects of the GDPR that have been incorporated into those laws. And so you should be familiar with the GDPR and its provisions because it's going to help you with those transitions. We talked about the GDPR moves well beyond the old directive. We talked about Article 2 when we talked about material scope. We talked about Article 3 that really talks about territorially if you have to comply with the GDPR. We talked about Article 5 when we talked about its data protection principles. That again, if you have to comply with the GDPR you should find those incorporated into your own privacy policies, data protection policies, the requirement your employee notice, to make sure that you're addressing those principles in your day to day data processing practices and activities. How license expands individual rights and freedoms of the data subjects. We talked about the right to access, the right to rectification, the right to the right to be forgotten, the right to restrict processing, the right to object to processing. The right to object to the automated decision making, and so that associated with processing personal data that might adversely impact you as a data subject. We talked about the responsibility and roles of data controllers. We talked about data processes, we talked about accountability. We said the GDPR has changed the landscape by now holding processors and subprocessors responsible for how they process and handle an EU data subject's personal information. We talked about the roles and responsibilities of the DPO, the data protection officer. We talked about when you have to conduct these data protection impact assessments. We talked about the data breach notification requirements. We talked about administrative fines for noncompliance. Hopefully you've enjoyed this discussion, I have. I look forward to talking to you in the next course. I hope you, your family members, and significant others are safe and well, take care. Chris the Privacy Gremlin will see you in the next course.
