Speaker 1: We're going to nail down what is GDPR in less than 10 minutes, focusing on the differences to the 1998 UK Data Protection Act and the 1995 EU Data Protection Directive. Stay with us as we'll put up a link to download a neat one-page index to GDPR's articles at the end. Really handy when people are rattling off Article 6 this and Article 28 or 30 that. Hi, I'm Robert Boer, the founder and CEO of KeeperBoer, the award-winning solution saving you time, money, and stress on GDPR and privacy, giving you a great answer for the board and customers. This video is part of Privacy Kitchen, our free video help on all things privacy. So grab a cup of coffee, and after this, check out our other videos, including 10 Steps to GDPR Compliance. As usual, links are in the notes below, and while you're there, please do like and subscribe. So why GDPR? Well, the old EU law was a directive which had to be implemented by each member state separately. GDPR took effect May 2018 and tries to harmonize those laws and practices because it's direct law throughout the European Economic Area. There's no need for any member state to implement GDPR. It's already there. Now, every area pre-GDPR is still there, just more so, and there are new areas, so we'll concentrate on the differences to the old law. GDPR massively increased the maximum fines from 500,000 to 20 million euros or 4% of global turnover, if higher. If those huge potential fines aren't reason to comply, here are two reasons that key surveys say are often bigger. First, internal compliance requirements. As well as those fines, company directors are well aware of the potentially existential threat, particularly to their jobs, of data breaches, and GDPR's in vendor due diligence, customer due diligence. It's also in internal audit, so they need a good answer. Second, it's those partner and customer expectations. GDPR's now in due diligence by vendors, partners, investors, and particularly when people outside Europe are selling into Europe. So talking about outside Europe, when does GDPR apply to you? And by you, we're really talking about organizations, although it will also apply if you're an individual processing personal data outside of normal personal or household activity. If you're established in the EEA, GDPR clearly applies to you and everything you do with personal data. Simple. If you're outside the EEA, in the USA, for example, GDPR can still apply to you if you fall into one of three main buckets. First, you have an establishment in the EEA and your processing is in the context of the activities of that establishment. GDPR will travel with that personal data and apply to you for that processing. Second, you offer goods or services to individuals in the EEA. It doesn't matter where those individuals reside or what nationality they are. Third, you monitor the behavior of individuals in the EEA. For completeness, there's a rare fourth bucket where GDPR applies because of public international law. So for example, a consular post. Personal data is essentially the same under GDPR as the old law, but GDPR makes clear just how broad that definition is and it adds genetic and biometric data to special categories. So personal data is still any information relating to an identified or identifiable living person, the data subject, and they can be identified directly or indirectly, so by that information or in combination with other information. Basically anything that directly or indirectly identifies or could identify a person, alone or with other information. So GDPR's still principles-based and the first six were already there in the UK's 1998 Act. So we'll just list them here and look at the big change. Accountability, the seventh principle. In particular, being able to demonstrate your compliance. That's not always easy and if you don't have things written down on paper or digitally, there's no way you'll be able to do this. Fines are also coming through on this aspect too and it's something regulators are focusing on. Now, GDPR's first principle is about lawfulness and for your processing to be lawful, you've got to identify which of the six lawful grounds or legal bases applies before you process that personal data. Again, all were there in the 95 Directive and the UK's 98 Act. So we'll focus on key changes. Consent, the grand old dam of privacy, you've got new teeth and as a result, it's dropped from number one to number four in the charts. You now need to keep detailed records and you may need separate consents for different purposes. Importantly, you can't use it where there's no real choice about giving that consent. So in most employment situations and when dealing with public bodies, it's definitely not the consent you knew under the 98 Act. The new old kid on the block is necessary for your legitimate interests. GDPR gives examples here, including ensuring network and information security and even direct marketing. But there's some controversy around how far you can push legitimate interests. And you'll also need to consider the interaction of the e-privacy rules, which for example, dictate consent for many cookies and public authorities can't use this in carrying out their duties. Just as before, if you're wanting to process special categories of data or personal data related to criminal convictions and offences, you'll need one of the six grounds plus one of the additional grounds particular to the type of data. So GDPR and controllers. Let's look at eight key changes for controllers under GDPR. Requirements on privacy notices, the information you provide to data subjects about what you collect and what you do with it have become stricter. So you do need to update your old ones to meet GDPR's requirements. And you'll have seen this in particular around cookie notices. A bigger change is when you use processors. What used to be a little bit of due diligence and a paragraph in contracts has become much more extended due diligence, including sub-processors and a multi-page data processing addendum. Happily, these have become pretty common. A huge change is breach notification. Every controller is now legally obliged to notify personal data breaches to the authorities within 72 hours of becoming aware of them, unless there's unlikely to be a risk to the individuals and to notify the affected individuals if there's a likely high risk to them. This is huge because before GDPR basically only ISPs and telcos had to notify breaches. Now it's everyone and there's a 72 hours requirement. Existing data subject rights or DSRs were so strengthened and joined by a couple of new ones, it's worth calling it a new area. Individuals or data subjects can ask for access to the data you have on them, correct it and erase it just like they could before. But they can also now port it to someone else, restrict your use of this and object on broader grounds to your using it. So some requests you've got no choice but to comply, for example, withdrawing consent for using their data for marketing. Others are subject to certain conditions. So you need to ensure you get that right and have a team trained on how to deal with them. GDPR now means you have to implement data protection by design and by default. What that means is incorporating data protection principles from the start of any project, that's the by design bit. And by default, ensuring that they're your default setting across the board. Your privacy policies and procedures will help you here, including your risk assessments, which GDPR calls impact assessments. There's one that GDPR says you have to do and that's a data protection impact assessment or a DPIA. It needs to be done when there's a likely high risk to individuals. Children are specifically protected under GDPR, which sees them as vulnerable data subjects. So if you're collecting their data, you need to make sure your privacy notices are written in an age appropriate language and are easily understandable. You'll need to age verify for certain services and that age, which is 13 in the UK, can vary across Europe up to 16. And it's much harder to rely on legitimate interests when the data subjects are children than it is for others. We've discussed accountability already. You need to be able to demonstrate your compliance status to the regulator. And because of that, others will ask from the board to your customers. So this will include your privacy governance structure, your privacy frameworks, your policies and procedures, your DPIAs we've talked about, your Article 30 records. See, stick around for that one page index. Article 30 records are the records of processing required to be kept under Article 30 by controllers and by processors. Last, data protection officers or DPOs. This is a brand new requirement in the European law. It was there, for example, in Germany before. In summary, if you're public sector, you'll need a DPO. If you're private sector, you'll only need a DPO if your core activities include large scale, regular and systematic monitoring of data subjects or processing of special categories of personal data or data relating to criminal convictions and offences. Do take a look at our videos on do I need a DPO and who can be DPO. In another huge development for the first time, processors have direct obligations and liability under the law to implement appropriate security measures. Restrictions on their use of subprocessors, liability for infringement of GDPR's processor rules and also for processing that's contrary to the instructions of the controller and to designate a data protection officer and or an EU representative as required. So there you go. That's a quick summary of the huge law that is GDPR. I said we'd share the one page index to GDPR and the link is also in the notes below. It's a great cheat sheet when someone's loading it over you with the article 24s, this and article 83s. Take a look at our other videos including 10 steps to GDPR compliance and please do visit us at keepable.com. Do use hashtag privacy kitchen to let us know the topics and questions you want us to cover. Stay well in the meantime and see you soon in privacy kitchen.