If you’re going to exploit IT services to launch and run your digital business, it is required from you – by law – to understand what the GDPR is about.

In the context of this model, we will share you with a couple of information you need to operate a digital business in Europe in compliance with GDPR.

What is the GDPR

A regulation of the EU Parliament and EU council on “the protection of natural persons with regards to the processing of personal data and the free movement of such data”

Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504

According to EU Law, a regulation is a legal act from EU policy institutions to which all Member States should comply with (as in the case of GDPR). Not all types of EU legislations are as binding as regulations…

The higher the level, the more binding the legislative content

GDPR whole focus of interest is upon EU citizens and their “right to be forgotten”.

• On one hand, GDPR represents a very robust and reliable systems of rights and “privileges” – if we look at it from the private citizen’s perspective.

To better understand the regulation of general Data Protection – and how you can comply with it – we really need to give you first a couple of key guidelines and pillars that orientate the ratio of the regulation:

• Glossary of references and common terms used by the legislation

• Basic principles of Data Protection

Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Quoted from legislative text

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction*, erasure or destruction.
* The marking of stored personal data with the aim of limiting their processing in the future.

Quoted from legislative text

Any information of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Quoted from legislative text

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor → A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Quoted from legislative text

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Quoted from legislative text

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Quoted from legislative text

Citizens’ rights 

From Article no. 12 to 23 of legislative text.

There are six cases (i.e. scenarios) in which organisations are allowed to process citizens’ data – upon full compliance with GDPR*:

*From Article no. 6  of legislative text

Transparency 

•      Perform routine assessment and audit of “personal data” you process, and which other parties have access to them
•      Disclose the ratio behind your processing – under which of the six scenarios you operate your processing?
•      Operate in full alignment with Article no.12 – first citizens’ righ

•      Embrace data protection at all stages of value generation process
•      Make personal data as anonymous as possible
•      Set up security mechanisms to prevent data breaches – who you’re sharing your PWs with?
•      Validated data impact assessment – does your activity damages / threats personal data
•      Test a notification system in case of data breach – recalling citizens’ right to be informed

•      If you have the opportunity, appoint a specialist that can take care of your compliance
   
•      If any third party process data on your behalf, please considers signing a formal agreement
   
•      Large organisation typically rely on the expertise of a Data Protection Officer, consider hiring one as soon as you enough resources…(€)

Citizens Data Protection’s rights

     Make sure to double check any time your full compliance with all of the citizens’ rights (go back to slide 16 for reference)

•      Is it easy for data subjects to be informed about the processing?...
•      Is it easy for data subject to access their data?...
•      Is it easy for data subject to be forgotten?...
•      Etc…