Technical Implications of the General Data Protection Regulation - PowerPoint PPT Presentation

Technical Implications of the General Data Protection Regulation (GDPR) Jaclyn Tsiang

Introduction ● Redefining personal data ● Global scope ○ Affects any organization that manages data from EU residents Complying with GDPR ● ○ Effective May 25, 2018

Before GDPR ● EU Data Protection Directive of 1995 ○ Initial privacy and data protection benchmarks ○ Directive vs. regulation ○ Enforcement differed between EU member states

What GDPR Compliance Means? ● Personal data = any information that relates to an “identifiable natural person” ● Individual is owner, company is custodian ● Right to access, port, rectify and erase data ● Mandatory breach reporting ● Penalties for noncompliance ○ Minor noncompliance issues up to 10 million euros or 2% of global annual turnover ○ Major noncompliance issues up to 20 million euros or 4% of global annual turnover

Effect on system architectures ● Right to erasure, also known as the right to be forgotten ● Constraints on automated decision making ● Data protection impact assessments ● Data protection officers

Right to be forgotten ● User can demand for data to be deleted ● Organization must erase data “without undue delay” ● Challenges ○ Data spread over multiple locations ○ Tracking all data ○ Auditing erasure

Architecting a solution for data erasure ● Must evaluate: ○ What personal data exists ○ Where it is located ○ Where data is managed and processed within organization ○ Who can access it ○ Timestamps of data ○ Whether other data retention regulations apply Solutions containing auditing and erasure functionality: ● ○ Use centralized data management Build individual services if data is distributed across different stores ○

Automated Decision Making ● GDPR prohibits any “decision based solely on automated processing, including profiling” ○ Profiling: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person” ● People should have ability to intervene in decision making ● Data subjects are able to express their point of view and contest decision ● Holds data processors accountable for ensuring transparent and fair algorithms

Data Protection Impact Assessments (DPIAs) and Data Protection Officers (DPOs) ● DPIA: assessment performed to evaluate risks if processing may put individuals’ rights at high risk ● DPO: person appointed to help monitor internal compliance, provide advice on data protection, and communicate with data subjects/supervising authority

Impact on US Companies ● GDPR applies to any company dealing with EU resident data ● No comprehensive national law on personal data in US ○ Only laws that exist address very specific types of personal data like cardholder data and medical data ● Important to understand that Personally Identifiable Information, as defined in US privacy law, is not the same as GDPR’s definition of personal data ● US companies should carefully assess whether GDPR applies to them, and steps needed to be taken to comply