Understanding GDPR

Developed with
QA

Contents

keyboard_tab
Understanding GDPR
Overview
Difficulty
Beginner
Duration
1h 32m
Students
271
Ratings
4.4/5
starstarstarstarstar-half
Description

Please note: this course has now been refactored into a learning path, which you can find here.

***

This is a beginner-level course designed to provide you with an introduction to Information technology security concepts. The course will suit anyone interested in understanding the fundamentals of security concepts from a business and technology perspective.  

Learning Objectives

In this course we will provide:

  • An introduction to the concept of Information Security
  • We will cover the basic concepts that pertain to Information Security
  • We then begin to answer the question - what is information security and why do we need it?
  • We then explore some of the frameworks, controls and activities we can implement to control information security 

Intended Audience

This course is intended for anyone who wants to learn the fundamentals of IT security.

Prerequisites

This is a beginner level course where having a basic understanding of computing concepts will be useful 

Feedback 

Please reach out to us at support@cloudacademy.com with any questions, comments or feedback. 

 

Transcript

Hello and welcome back. In this lecture we’re looking at GDPR: General Data Protection Regulation. This is the legislation on data protection in the EU and European Economic Area, and its scope is worldwide. So any company around the world or any organization that interacts with data subjects resident in the EU or EEA have to adhere to these regulations.

What GDPR seeks to do is standardize data protection definitions across the EU and EEA and the rights of the data subjects therein, i.e. the people that actually give their data to companies. It clarifies what controllers, the people that actually own the data, and the processors, the people that process the data (like cloud providers, for example) - it clarifies what their obligations are. It strengthens the ability to actually enforce penalties and fines on companies and addresses the privacy and profiling of information collected by different services and sites on the internet. And then it provides some sort of ease of data management for transfers across the EU, which has made it very useful, even though it’s not exactly future-proof legislation because, of course, technology is going to change exponentially. 

In this diagram you can see that there is the European Data Protection Board, currently Working Party 29. There’s the data processor, the data controller, all under the remit of the data protection officer, who feeds back information to the ICO should there be a breach.

The data subjects give their personal data to the data controller under the rights established by GDPR. If the data subjects are frustrated, they can go to the ICO to complain. 

GDPR has six principles. The first one is lawfulness, fairness and transparency. So, collecting data for the right reasons and not deceiving data subjects as to why their data is being collected.

Next, there is purpose limitation: only using data for what it's supposed to be used for.

Data minimization: only taking data that you actually need.

Accuracy: keeping it up to date.

Storage limitation: not keeping it for longer than you're supposed to.

And finally, integrity and confidentiality: making sure that your transactions are confidential, so essentially through encryption, and making sure you have a way of checking the integrity of those transactions as well. So even though we can pass them on to a processor, the controller still has the accountability to demonstrate compliance overall if the information they're collecting from data subjects is passing through a processor, so carrying out audit and assurance and doing due diligence on third parties and reporting any breaches no later than 72 hours, unless law enforcement has told you not to report something for legal reasons.

So these things they have to keep a record of; a history of breaches, and actions taken. You can report the breaches in phases if you’re not completely sure that there has been a breach. If processes are breached, controllers need to be notified straight away.

Now let’s take a quick look at some US legislation. In the US there is a voluntary scheme called 'privacy shield'. It was previously known as safe harbor. However, safe Harbor was deemed inadequate by the European Court of Justice. What privacy shield allows companies to do is align themselves with GDPR. However, the thing is that they volunteer to this scheme. That's the first thing. And the second thing is that it's also self-certified. So, companies have 45 days to resolve complaints that are made against them. And there's an annual review, and they also do that themselves.

About the Author
Students
5578
Courses
12
Learning Paths
4

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.

Covered Topics