Hello and welcome back. In this lecture we’re looking at GDPR: General Data Protection Regulation. This is the legislation on data protection in the EU and European Economic Area, and its scope is worldwide. So any company around the world or any organization that interacts with data subjects resident in the EU or EEA have to adhere to these regulations.

What GDPR seeks to do is standardize data protection definitions across the EU and EEA and the rights of the data subjects therein, i.e. the people that actually give their data to companies. It clarifies what controllers, the people that actually own the data, and the processors, the people that process the data (like cloud providers, for example) - it clarifies what their obligations are. It strengthens the ability to actually enforce penalties and fines on companies and addresses the privacy and profiling of information collected by different services and sites on the internet. And then it provides some sort of ease of data management for transfers across the EU, which has made it very useful, even though it’s not exactly future-proof legislation because, of course, technology is going to change exponentially.

In this diagram you can see that there is the European Data Protection Board, currently Working Party 29. There’s the data processor, the data controller, all under the remit of the data protection officer, who feeds back information to the ICO should there be a breach.

The data subjects give their personal data to the data controller under the rights established by GDPR. If the data subjects are frustrated, they can go to the ICO to complain.

GDPR has six principles. The first one is lawfulness, fairness and transparency. So, collecting data for the right reasons and not deceiving data subjects as to why their data is being collected.

Next, there is purpose limitation: only using data for what it's supposed to be used for.

Data minimization: only taking data that you actually need.

Accuracy: keeping it up to date.

Storage limitation: not keeping it for longer than you're supposed to.

And finally, integrity and confidentiality: making sure that your transactions are confidential, so essentially through encryption, and making sure you have a way of checking the integrity of those transactions as well. So even though we can pass them on to a processor, the controller still has the accountability to demonstrate compliance overall if the information they're collecting from data subjects is passing through a processor, so carrying out audit and assurance and doing due diligence on third parties and reporting any breaches no later than 72 hours, unless law enforcement has told you not to report something for legal reasons.

So these things they have to keep a record of; a history of breaches, and actions taken. You can report the breaches in phases if you’re not completely sure that there has been a breach. If processes are breached, controllers need to be notified straight away.

Now let’s take a quick look at some US legislation. In the US there is a voluntary scheme called 'privacy shield'. It was previously known as safe harbor. However, safe Harbor was deemed inadequate by the European Court of Justice. What privacy shield allows companies to do is align themselves with GDPR. However, the thing is that they volunteer to this scheme. That's the first thing. And the second thing is that it's also self-certified. So, companies have 45 days to resolve complaints that are made against them. And there's an annual review, and they also do that themselves.