On Demand Library
Created in partnership with
GDPR Overview
9:07
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Overview of Major Global Privacy Laws
General Privacy Law Principles
What Kinds of Companies Need to Worry About Health Data?
Overview of US Privacy Laws
Who Engages in a Data Breach?
Transcript

00:07
Adam Stofsky
So we're here to talk about the GDPR, the General Data Protection Regulation, and get an overview of this really important law. So let's just start. What is the GDPR? 


00:17
Shannon Yavorsky
The GDPR is the European General Data Protection Regulation and it is Europe's Data Privacy Law. So it applies to the collection and use and storage of all kinds of personal data of individuals who are located in Europe. And there's the EU GDPR, which applies to the EEA. And now we also have post Brexit the UK GDPR, which applies to the UK. And the GDPR, the EU GDPR was sort of adopted wholesale into UK legislation. So it's basically the same thing for right now. But in general, the GDPR is the privacy law that applies to the collection and use and storage of personal data of individuals located in Europe. 


01:10
Adam Stofsky
So what does that mean? What does the law actually require companies to do? What's the law all about? 


01:15
Shannon Yavorsky
So there are lots of different requirements, there are lots of little more nuanced requirements. But some of the big ticket items in the GDPR, I would say, number one, organizations have to establish what's called a lawful basis of processing. And that's really before you do anything with personal data, you have to pick one of six bases on which to rely to process that, to use that data. So by way of example, an individual can consent to the collection and use of their data for a particular purpose. And you've probably seen that in some circumstances where you get a pop up that says, oh, tick this box if you want to receive our newsletter. That's consent for the purposes of the GDPR. So that's one of the lawful bases of processing. Another one that's really commonly used is performance of a contract. 


02:07
Shannon Yavorsky
So where you're buying a widget and the seller needs your name and your address in order to send you the widget, you need to provide that information to them. So that information is required for performance of a contract. And another really critical item under the GDPR is Privacy Notice. So transparency, and that's really telling people what personal data you're going to be collecting about them, what you're going to be using it for, and how it's going to be shared. And a good example of that is the base of a website where you see it says Privacy Policy or Cr privacy Notice. That's the way that I think most people would encounter that transparency requirement or Privacy Notice as required under the GDPR. 


02:55
Adam Stofsky
Let's stop and recap for a SEC. We've got the lawful basis of processing data. So basically, the law allows only six reasons why you can even process data in the first place. So if I can't just do it because I feel like it, or maybe like to commit a crime or spy on people, I'm assuming those are not lawful bases, right? 


03:13
Shannon Yavorsky
Not lawful bases, yeah. No. 


03:15
Adam Stofsky
So you got to have a lawful basis. And then the rest be transparent. You've got to tell your customers, your users, or I assume your employees, sort of what data you're collecting and why. 


03:25
Shannon Yavorsky
Also yeah, that's a great point. Also employees. So companies in Europe have to tell consumers, but also their employees and business contacts, what information they're collecting about them and how they're going to be using it and who they're sharing it with as another example. And they do that in their employee privacy notice, which is usually in an employee handbook or on their public facing privacy notice, which is on their website. It's a really important piece of compliance because it's kind of the one place that a regulator or a litigant or consumer can see what your privacy practices look like because at the end of a GDPR compliance exercise, you don't get a certificate or gold star. You're in good shape for compliance, but people can check to see what you've done by taking a quick look at your privacy notice. 


04:19
Adam Stofsky
Okay, so we've got a lawful basis and we've got this transparency requirement. What else does the GDPR do? 


04:26
Shannon Yavorsky
So I think one of the main things that the GDPR does is adopt a consumer rights based approach to privacy. And what that means is it gives individuals rights to their data. So under the GDPR, you can ask for a company to delete your data. You can ask a company to give you access to the data that they hold about you. You can ask for your data to be corrected. So all of these rights are then enshrined in your privacy notice, and then you have policies on the back end within the company that explain the cascade of events that has to occur in order for the company to delete that data or to get it all together to send to the individual. 


05:11
Adam Stofsky
Okay, so we've got lawful basis, we've got transparency, we've got sort of consumer individual rights. Anything else? 


05:19
Shannon Yavorsky
So another important part of GDPR compliance is having appropriate security measures. So companies have to have good security programs in order to comply with the GDPR, which requires it's called appropriate technical and organizational security measures. And it's everything from doing pen testing to having locked filing cabinets, literally, like. 


05:45
Adam Stofsky
In the real world. Like a locked filing cabinet literally. 


05:49
Shannon Yavorsky
In the real world, in the digital world, but also in the real world. That's right. 


05:54
Adam Stofsky
So that makes sense. So the law, it's making sure that in the first place you have a reason to collect data, and then once you have it's making sure that you actually kind of take care of it. 


06:04
Shannon Yavorsky
Yeah, you're a good steward of the individual's data. And again, whether that's consumers data, employees data, or business contact data, any other. 


06:14
Adam Stofsky
Major elements of the GDPR we need to get out in this overview. 


06:19
Shannon Yavorsky
The one other thing that I would mention is the accountability principle, and the GDPR sets forth a number of different principles that companies have to comply with. And accountability is really the principle of documenting how you're complying with the law. It's really about telling your GDPR compliance story. But for a company that's going through a compliance exercise, it's about documenting all of the decisions that they've made in relation to privacy, about having a privacy notice and adopting internal policies that set about how the company is going to comply with the law. So a security policy and an individual rights policy by way of example, but really about telling your story of compliance. 


07:06
Adam Stofsky
Can you say a little more about that? When you say tell your story, does that mean that every company can do it differently? 


07:13
Shannon Yavorsky
Yeah, so there are lots of different ways that companies approach GDPR compliance. And accountability for one company can mean something a little bit different. And an example of that is a company that holds really sensitive personal data, banking details, financial details. In order for that company to comply with the appropriate technical and organizational security measures, they're going to have to do a little bit more than a company that is simply collecting, let's say, IP addresses. So there can be different levels of what you have to show to comply with those principles under the GDPR. 


07:50
Adam Stofsky
Right. So there's no checklist within the law. You just have to come up with a plan, essentially. 


07:56
Shannon Yavorsky
Yeah, exactly. Unfortunately, there's no checklist. I think that would be much easier for companies to go through and tick the box, but you have to really align around these GDPR principles. 


08:08
Adam Stofsky
All right, great. So that's five key aspects of the GDPR. I think that's a great overview to start with. I'm going to try to recap them, but you might have to help me because it's a lot I'm going to try to do this in order. We got lawful basis of processing, right? You have to have some transparency and let consumers or employees know what you're collecting. You've got to have there's individual rights, so the law protects a lot of individual rights. You have your security, so you have to actually protect the data once you have it. And then you have all essentially your policies, right. Accountability to make sure that you're actually or that people can know that you're actually following the law. Okay, did I get all that right? 


08:45
Shannon Yavorsky
Me yes. That's a great summary, Adam. It's a really great place to start. Of course, there are a number of other nuanced requirements, but those are the big pieces of GDPR compliance. 


08:56
Adam Stofsky
Okay, all right, great. So that's your quick overview of the GDPR. We're going to get into a lot more detail in future videos. Thank you so much, Shannon. 


09:04
Shannon Yavorsky
Thanks, Adam. 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly
Terms of Use
Privacy