1.

Overview & Objective of GDPR

We live in an interconnected world. In 2021, there were over 4.9 billion internet
users who consumed over 44 billion gigabytes of data per day. That's 60% of the
world's population. This data moves in microseconds. GDPR is a regulation created in
2016. It contains 99 articles covering basic data privacy for individuals, also known as
data subjects, who are located in the European Union and the European economic
area. This regulation requires businesses to protect personal data of individuals,
regardless of their location and the citizenship or residence of the individuals.

GDPR has three primary objectives.

 The first one is control. Each citizen must opt in and provide consent to how
personal data is used and processed. Data subjects revoke their consent at
any time.
 The second objective is trust. This regulation wants to encourage long-term
consumer confidence. It’s mainly about safety.

 The third objective is simplicity, fragmented rules and legislation led to

disjointed application by many organizations. Organizations need clear
visibility, understanding and control over the data that they process. With
simplicity, the hope is to achieve a standard approach across organizations
and industries. There have been several attempts to secure data, but GDPR is
the most far reaching and comprehensive regulation to date.

2. Punitive measures as per GDPR

Any organization with EU business transactions will be subject to the GDPR

regulation.There are differing levels of fines that can be assessed on any organization
that is found to be noncompliant. On the lower limit, a company can be fined 2% of
its annual revenue. Note that this is not net profit, but all global revenues, or 10 million
euros, whichever is higher. On the other end of the spectrum, companies can be
fined up to 4% of their annual revenue, or 20 million euros, again, whichever is
higher. These fines could be detrimental to companies that are found to be non-
compliant. When a governing body is considering what level of fine to impose, they
use certain criteria to determine what the fine will be. Some examples may be the
mitigations that an organization had in place, the history of previous breaches, or
that organization's cooperation with the governing body

1
 .The regulation obligates member states to set up a supervisory authority called
data protection authorities or DPAs. These authorities have two enforcement
elements. Monitoring whether individuals can exercise their rights, and evaluating
whether processing is complying with the rules set by GDPR. If the data protection
authority suspects a violation, they have investigative powers to determine if that
violation exists. They may also issue warnings to a controller or processor. If the DPA
determines a violation has taken place, they can take several actions, including
reprimands, orders to comply, such as requiring erasure or restricting processing,
and ordering breach notification to data subjects. The DPA can take more severe
measures as well, such as banning processing or a revocation of a certification, or even
suspending data flows to a recipient. These can cause real business disruption if
taken. The most far-reaching power of the data protection authority is the ability to impose
administrative fines. These fines can range from small fines to substantial fines for
severe infractions. While financial penalties started out slowly after the GDPR went
into effect, the number of fines and the amount of those fines has steadily increased
since the regulation's inception. Fines have been as small as 300 euros, and to date
have topped over 750 million euros. The fines span the EU member states. The
greatest number of fines have been imposed based on the top three violations. The
most common violation is insufficient legal basis for data processing. Second is
insufficient technical and organizational measures to ensure information security.
And third is noncompliance with general data processing principles. What that tells me is
that you need to ensure you have a legitimate reason to process the data, you need
to ensure you have solid security measures, and you need to ensure you are processing
data within the guidelines of the GDPR.. So let's talk about some real examples.

 WhatsApp was fined 225 million euros for failure to meet the information
transparency requirements. In addition to the fine, the Data Protection Board also
required WhatsApp to bring its processing activities into compliance and to update
its privacy notices.

 Marriott International was find 18 million pounds for not having sufficient security
measures, including monitoring of privileged accounts, monitoring of databases, lack
of server hardening and lack of encryption. Of note, the initial fine recommendation
was 99 million pounds, but was reduced based on Marriott's prompt notification
action and seeking to mitigate the risk of damage to data subjects. You can see here,
the importance of transparency and compliance with the outlined measures, and
working with the regulatory authorities can help reduce potential fines.
Understanding the data protection authority's obligations, investigative powers and
enforcement authorities, as well as understanding the most common reasons for
imposing fines will help you to ensure you are prioritizing and complying with the
most common violations.

2
 3. Data controllers and processors

There are two primary groups of organizations covered under GDPR in terms of
processing data: data controllers and data processors. Data controllers have
responsibility for control over personal data. They are in effect the data owners. They
have ultimate accountability for the safety of that data. Some of the tasks that a data
controller is responsible for is to ensure they have compliance. They do this by
processing personal data fairly. Those organizations must obtain data fairly and keep
it only for its identified purpose. The data controllers must keep it safe, and they
must manage any processors they may use.

Data processors are engaged by controllers to obtain, process, analyze, and store
data on the controller's behalf. You can think of them as third-party vendors, such as
a managed service or a software product company in the cloud. Data processors
must act exactly as they are instructed by controllers. Some areas they are
responsible for include protecting the data, obtaining written permission to use any
subcontractors, and contributing to any compliance audits that may happen for the
data. When we look at them side by side, you can see that the data controller is the
owner of the data and the processor must follow the controller's instructions. The
data controller is responsible to EU citizens. Whereas the data processor is
responsible to only the controller. The data controller must have technical measures
and processes in place, but the data processor must commit to those security
measures to protect the data. Controllers and processors should leverage contracts
to commit to the appropriate security measures and understandings. There are
usually penalties for broken contractual agreements. Finally, controllers do have the
right to inspect the premises of any data processor. Let's go through an example
using a fictitious company called Explore California. Explore California is a travel
company that has clients from the European Union come and visit. They also have
some employees that live and work in the EU. Because they are storing EU citizen
data, this makes them responsible for following GDPR. If Explore California has a set
of employees and they are keeping personal data as part of their employment
contract, Explore California becomes the data controller. If that company were to use
an HR software provider to process and store the personal data, that HR provider
becomes the data processor. The contract to outline the respective rules and
responsibilities would outline what data Explore California is responsible for and
what the HR software provider is allowed to do as they process that data.
Understanding if an organization is a controller or processor, and in some cases
maybe both, helps that organization understand their responsibilities with the data.

3
 4. Article 24: Responsibilities of the DATA controller

Article 24, outlines the four primary tasks a controller is responsible for in that role.

 The first task is to have appropriate measures in place. These are both
technical measures and processes. Documenting those processes and
measures can show an organization's diligence, be sure to put in audit
mechanisms to be able to show those measures as evidence.

 Second is to understand the data being processed. A data mapping exercise

will facilitate this. Understand what the organization has and why they have
it. Additionally, understand the probability and impact of losing that data. This
is to enable us to determine the appropriate measures based on the criticality
of the data.

 Third is to protect the data. This task is based on the nature of the data or its
criticality. An organization needs to have a policy regarding these protections
and it needs to be communicated and readily available. It doesn't hurt to
have standards that can be executed as well.

 The fourth responsibility is to have a Code of Conduct. This should also be a

written policy. Additionally, it must adhere to Article 40 of the GDPR or an
approved certification. Article 40 has 11 codes outlined in its tenant. A few
key clauses in Article 40 are around processing, legitimate interest in the data,
and consideration of a data subject rights. These four tenets are the core
responsibilities of a data controller outlined in Article 24.

5. Article 28: Data processor tasks

Article 28 is important to understand because it outlines the four primary tasks a

data processor is responsible for in that role.

 The first is to implement security measures. How this is implemented

depends on the nature of the data and how it is being handled. These can be
technical measures or they can be process-based.

 Second is the use of subprocessors. This happens when a processor

outsources some part or all of the data processing to a third party. A
subprocessor is bound by the same data protection obligations set out in the
processor's contract with the controller. The explicit consent of the controller

4
 is required in order to be lawful. Further, an additional contract is put in place
for subprocessors with the appropriate clauses that apply.

 The third tenet is that the processor must ensure there is a contract in place
with the controller. Some components to include in the contract should be
whose data is being processed, categories of data subjects, which data is
included, what is it and how is it being used. The contract should additionally
list out the responsibilities of both the controller and the processor.

 Fourth, the processor must ensure they only process in scope data. They
should have records of the processing activity and logs to review. These logs
can be used as evidence in case of an audit. It's important to note that the
processor can be considered accountable, just like the data controller, if they
violate any of these responsibilities. These four tenets are the core
responsibilities of a data processor as outlined in Article 28.

6. Data protection officer (DPO)

An organization's ability to conform to the GDPR lies heavily with the role of the data
protection officer, or DPO. Understanding the responsibilities and expectations of the
DPO is critical to identifying the right person for the role. Who needs a data
protection officer? The regulation states that any controller or processor who
requires regular and systematic monitoring of data subjects on a large scale needs a
DPO. Let's take a look at the six tasks that a data protection officer is responsible for.
 First, they must inform the data subjects about their rights and raise
awareness of the regulation.
 Second they must also advise their institution about the application of the
GDPR rules.
 Thirdly, they must do prior checks of risks and have a list of operations that
the organization will undertake.
 Fourth, they must help the institution be accountable to the governing
agency. The data protection officer must also answer any questions and
handle complaints.
 Fifth, in the case of an investigation, the data protection officer must help
with the cooperation between their organization and the governing agency.
As we can see, the data protection officer role is embedded in an
organization's ability to maintain compliance with GDPR.