Introduction to GDPR principles

- [Instructor] So what is GDPR, or General Data Protection Regulation? Why's it important and why do we need to comply with these regulations? How can Microsoft 365 help you to comply with GDPR? Well, let's first cover the main concepts of GDPR and see how GDPR will affect the way you store, manage, and access data. Hopefully you will be somewhat aware of GDPR is and why organizations may need to comply with these rules. GDPR is a set of regulations providing data protection for individuals within the European Union. The new regulations were agreed by all EU member states in 2016. And this became legally enforceable at the end of May 2018. The regulations protects both personal data, for example names and addresses, and sensitive personal data, such as genetic or biometric data. GDPR affects any organization that collects and stores data that is related in any way to the residents of the European Union. That includes companies that work in the EU or in the supply chain of others who have services and products within the EU. In the past businesses have had data protection regulations for many years. But the GDPR overhauls this and makes new rules that will change the way that millions of organizations will store, manage, and monitor personal data that they keep. It's estimated that around 28 million businesses will be impacted by these new rules. Any eligible company that does not comply can be fined can be fined up to 20 million euros, or 4% of their annual worldwide turnover, whichever is the greater. The regulations don't just impact current or new data but also includes old and archived personal data that is stored by businesses. The regulations consist of 99 articles that can be divided into three categories. These are Enhanced Rights for Personal Privacy, Transparent Data Policies, and Increased Duty for Data Protection. In the first category, Enhanced Rights for Personal Privacy, this has two subcategories, lawful basis for processing data and individual rights. Let's take a look at these topics in more detail. I'll include the relevant GDPR article reference for each provision which should be useful if you need to delve deeper into the topics. With the concept of lawful basis for processing data, the regulations include consent. This is where an individual must give clear consent to allow their personal data to be processed for a specific purpose. Consent can be withdrawn. Contract. This covers the processing of data that is necessary to fulfill the contract that you have with individual, such as the address required for the delivery of goods. Legal obligation. Where the processing of personal data is necessary in order to comply with the law and vital interests. This is a special case where the processing of personal data is needed to protect someone's life. We then have public task. Needed to perform a task that is in the public interest or for official functions. Legitimate interests. When processing is necessary for your legitimate interests. Special category data. This is where you have both a lawful interest and a special category condition. For example, you need to process data on race, politics, religion, or health. And then finally, criminal offense data. This is similar to the special category data in that you need both a lawful basis and a reason to process the data. For example, you're in the court service or the police service. The second subcategory of Enhanced Rights for Personal Privacy, includes individual rights. This is for when personal data has been sourced and processed. With GDPR individuals now have the right to be informed where each individual must be clearly notified about what data is being collected and how it will be processed. They have the right of access. Individuals have the right to request access to their personal data. They have the right to rectification. If personal data is incorrect an individual can request that changes are made to correct or complete the data held. They have the right to erasure. If there's no compelling reason for personal data to be stored, then a request can be made for the data to be deleted. And finally, the right to restrict processing. This allows you to store data, but if a request is made, you must no longer process the personal data. For example, you would flag it as not to be processed. There's also the right to data portability. If requested, you have to provide a copy of the data held. For example, an export of the data. The right to object. An individual can object to their personal data being used for such things as marketing, scientific, or historical research. They have rights related to automated decision making including profiling. If you're going to carry out automated processing on data to identify certain characteristics or profiling, then this must be under specific law or have explicit personal consent. And finally, children. Where services are offered directly to a child, you must ensure that the consent and privacy notice is written in a way that a child can understand. You may also need to obtain consent from a parent or guardian to collect and process the child's data. The second category of the regulations is Transparent Data Policies, which are concerned with the accountability and governance. You need to be able to demonstrate that you're complying with the regulations. For example, that you're tracking data processing activities. Contracts. These are required between you, the data controller, and any data processes, including subcontractors with clear guidelines of GDPR responsibilities and liabilities outlined. Documentation. You need to hold documents for auditing purposes. For example, detailing data sharing, data retention, and log files of all data processing. And finally, codes of conduct and certification. These are used to demonstrate compliance and adherence to acceptable rules of data transparency and best practice. The final category relates to the Increased Duty for Data Protection. This includes legislation on data protection by design and default. You need to show that you have considered an integrated data protection into your processing activities. Personal data breaches. You must report data breaches within 72 hours. You may also need to inform those individuals who've been affected. And security. You must protect against unauthorized or unlawful viewing, processing, accidental loss, destruction, or tampering. And then data protection officers. Depending on your size and business type, you may need to appoint a data protection officer with overall responsibility of your data. Data protection impact assessments. You'll need to carry out assessments to show how you'll comply with the legislation and data protection obligations. And finally, international transfers. Under the GDPR legislation you're restricted from transferring data outside of the EU.