Data inventarization according to GDPR

Legal IT Group

17 May 202234:45

Summary

TLDRThis webinar script delves into the essentials of data inventorization under GDPR, emphasizing the importance of understanding data flows for compliance. It guides through creating data maps, offers tips for data minimization, and addresses the roles of data controllers and processors. The speakers, privacy lawyers from Legality Group, also highlight the significance of maintaining records of processing activities and responding to data subject requests. Additionally, they introduce a charity program to support children affected by the war in Ukraine, encouraging donations.

Takeaways

📝 The webinar focuses on data inventorization according to GDPR, emphasizing the importance of understanding data flows and creating a data map for compliance.
👤 The speakers, Ledeslav and his colleague, are privacy lawyers from Legality Group, who specialize in various international data protection laws including GDPR and CCPA.
💡 The webinar highlights the significance of data minimization and understanding applicable laws for data militarization, suggesting that maintaining a data inventory can mitigate risks of unnecessary data storage.
📈 Data inventory and mapping are crucial for GDPR compliance as they help companies adhere to its principles, such as purpose limitation and storage limitation.
🔒 GDPR's Article 30 mandates maintaining records of processing activities, which can be facilitated by having a data inventory or map, detailing information like purposes of processing and data categories.
🔄 The involvement of third parties in data flows is significant, and companies must identify all parties involved and specify what data is shared and for how long.
🤝 The role of data controllers and processors is clarified, with examples given to distinguish between the two, especially in scenarios involving software development services.
🌐 Data transfers, especially to third countries outside the EU, require additional safeguards like data protection agreements with standard contractual clauses.
🛡️ Data inventory and mapping are instrumental in responding to data subject requests and security incidents, helping to identify impacted data subjects and meet GDPR's notification timelines.
🔑 Tips for data inventorization include understanding what constitutes personal data, knowing one's roles under GDPR, and utilizing data maps for handling data subject requests.
♻️ Regular review of data flow maps and records of processing activities is advised, especially when new features are implemented that may collect additional personal data.

Q & A

What is the main topic of the webinar?
-The main topic of the webinar is data inventorization according to the General Data Protection Regulation (GDPR).
What are the three main points covered in the webinar's agenda?
-The three main points covered are understanding data flows, drawing a data map, and providing tips for data minimization and understanding applicable laws regarding data militarization.
What roles do Ledeslav and the colleague from Legality Group have in the webinar?
-Ledeslav and the colleague are privacy lawyers working for Legality Group, and they are presenting on data militarization according to GDPR.
What is the significance of the charity program mentioned in the webinar?
-The charity program is developed by the company to support Ukrainian children affected by the war, providing assistance and encouraging donations to help those in need.
What does GDPR stand for and what does it govern?
-GDPR stands for General Data Protection Regulation, which is a regulation in EU law that governs the processing of personal data of individuals within the European Union.
What are the GDPR principles mentioned in the script?
-The GDPR principles mentioned are purpose limitation, storage limitation, and the requirement for data to be processed only in accordance with specified, explicit, and legitimate purposes.
What is the importance of maintaining records of processing activities under GDPR?
-Maintaining records of processing activities is a direct obligation under GDPR for certain controllers and processors, which helps in compliance and provides necessary information for handling data subject requests and security incidents.
What is the role of third parties in data flow and how should it be managed?
-Third parties may receive personal data from companies, and it's important to identify all third parties, the data shared with them, and the duration of data sharing. Information about data sharing should be included in the data inventory or map.
How can a data inventory or data map assist in responding to data subject access requests?
-A data inventory or data map can help identify all the information a company has about a data subject, making it easier to locate and provide the requested information or to determine if the request can be fulfilled.
What are the key steps in drawing a data map for GDPR compliance?
-The key steps include understanding the sources of personal data collection, identifying the roles of all subjects under GDPR (data controller, processor, or subject), and mapping out the flow of data, including transfers to third parties and data recipients.
What are some tips for data inventory and understanding applicable laws under GDPR?
-Tips include understanding which data is personal, knowing your roles under GDPR, utilizing data maps for handling data subject requests, specifying the categories of data collected, understanding retention periods, and regularly reviewing data flow maps and records of processing activities.

Outlines

00:00

📝 GDPR Data Inventory and Mapping Basics

The first paragraph introduces the webinar's focus on data inventory and mapping under the General Data Protection Regulation (GDPR). It outlines the agenda, which includes understanding data flows, creating a data map, and discussing data minimization and legal compliance. The speakers, Ledeslav and a colleague, both privacy lawyers from Legality Group, provide a brief introduction of themselves and mention their company's charity program supporting children affected by the war in Ukraine. They encourage donations and transition into the main topic of GDPR compliance.

05:02

🔒 Understanding GDPR Principles and Data Inventory

The second paragraph delves into the GDPR principles, emphasizing the importance of data inventory and mapping for compliance. It explains the purpose limitation and storage limitation principles, highlighting the need to process personal data only for specified purposes and within a defined time frame. The paragraph also discusses the connection between data inventory and the maintenance of records of processing activities as required by Article 30 of the GDPR. It touches on the role of third parties in data flows and the necessity of documenting data sharing arrangements.

10:03

🤝 Third Parties and Data Subject Rights in GDPR Compliance

This paragraph discusses the significance of third-party involvement in data processing and the importance of identifying all recipients of personal data. It also addresses the rights of data subjects under the GDPR, using a scenario where a user submits a data subject access request. The paragraph illustrates how a data inventory can facilitate the identification and provision of all personal data held by a company about an individual, thus aiding in the fulfillment of data subject requests.

15:04

🛠️ Creating Your First Data Map for GDPR Compliance

The third speaker provides a step-by-step guide on creating a data map, emphasizing its importance for GDPR compliance. The explanation covers understanding the subjects involved in data processing activities, identifying the sources of personal data collection, and recognizing the roles of data controllers, processors, and subjects under the GDPR. An example of a software development company is used to illustrate how to create a data map, including identifying data sources, the types of data collected, and the recipients of that data.

20:07

🌐 Data Transfers and International Considerations under GDPR

This paragraph focuses on the complexities of data transfers, especially to third countries outside the European Union and European Economic Area. It discusses the need for additional safeguards, such as data protection agreements with standard contractual clauses, to justify such transfers under the GDPR. The paragraph also highlights the importance of understanding the destinations of personal data transfers and the implications for compliance with GDPR regulations.

25:08

📚 Tips for Data Inventory and GDPR Compliance

The sixth paragraph offers practical tips for conducting data inventory and maintaining compliance with the GDPR. It advises on understanding what constitutes personal data, the roles of data controllers and processors, and the importance of utilizing data maps and records of processing activities when handling data subject requests. The paragraph also touches on the example of payment processors and their role in collecting personal data on behalf of their clients.

30:08

🗓️ Data Categories, Retention, and Regular Reviews for GDPR

The final paragraph provides additional tips on data inventory, emphasizing the need to specify the categories of data collected, understand retention periods, and perform regular reviews of data flow maps and records of processing activities. It also advises on the importance of knowing where data is stored, especially if it involves cloud storage outside the EU, and the necessity of updating records when new data categories are introduced due to new features or services.

📢 Conclusion and Call to Action for Webinar Participants

The conclusion of the video script thanks the participants for their attention and provides a final reminder about the charity initiative to help Ukrainian children. It encourages viewers to subscribe to their YouTube channel for updates on legal webinars and to follow their social media for the latest information. The paragraph ends with a call to action for donations and assistance for those affected by the war in Ukraine.

Mindmap

Keywords

💡Data Inventory

Data Inventory refers to a comprehensive record of all personal data held by a company. It is a critical component in achieving compliance with the General Data Protection Regulation (GDPR). In the video, it is discussed as the first step to GDPR compliance, helping companies understand what personal data they collect, store, or process, and ensuring that data is processed only for specified purposes and for no longer than necessary.

💡Data Mapping

Data Mapping is the process of creating a visual representation of data flows within an organization. It is closely related to Data Inventory and is used to identify where data comes from, where it is stored, and how it is processed and shared. The script mentions data mapping as a tool to help companies understand their data flows and to maintain records of processing activities, which is a direct obligation under Article 30 of the GDPR.

💡GDPR Principles

The GDPR Principles are guidelines set out in Article 6 of the GDPR that dictate how personal data should be processed. They include principles such as lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. The video emphasizes the importance of adhering to these principles when processing personal data and how a data inventory can assist in compliance.

💡Data Minimization

Data Minimization is the concept of collecting and retaining only the minimum amount of personal data necessary to fulfill a specified purpose. The script discusses tips for data minimization, which is one of the GDPR principles that helps to reduce the risk of unnecessary data storage and potential data breaches.

💡Data Subject Requests

Data Subject Requests are formal requests made by individuals to access or modify their personal data held by a company. The video script describes how a data inventory and data mapping can facilitate the process of responding to such requests, ensuring that companies can quickly identify and provide the information requested by the data subject.

💡Records of Processing Activities

Records of Processing Activities are documents that controllers and processors must maintain under Article 30 of the GDPR. They detail the processing of personal data, including purposes, categories of data subjects, categories of personal data, and information about international data transfers. The script explains that having a data inventory can simplify the task of maintaining these records.

💡Third Parties

Third Parties in the context of the GDPR are external entities that a company may share personal data with, such as CRM systems, cloud technologies, or marketing platforms. The script discusses the importance of identifying all third parties involved in data transfers and the data shared with them, which is crucial for compliance with GDPR's data protection requirements.

💡Data Controller

A Data Controller is an entity that determines the purposes and means of processing personal data. The script explains that a company can act as a data controller when it uses personal data for its own purposes, such as when developing software for a client who provides the data.

💡Data Processor

A Data Processor is an entity that processes personal data on behalf of a data controller, following the controller's instructions. The script provides an example of a software development company acting as a data processor when it develops a feature for a client's software, using the client's data according to the client's defined purposes.

💡Personal Data

Personal Data is any information relating to an identified or identifiable natural person. The script clarifies that personal data can include not only names and email addresses but also IP addresses and other identifiers. It is important for companies to understand what constitutes personal data to ensure they are processing it in compliance with the GDPR.

💡Data Protection Officer (DPO)

A Data Protection Officer is a role designated by organizations under the GDPR to oversee and monitor data protection strategies and compliance. While the script does not explicitly mention the role of a DPO, the mention of 'DPO' in the context of the records of processing activities implies the importance of having a responsible person to ensure GDPR compliance.

Highlights

Webinar focuses on data inventorization according to GDPR, covering understanding data flows, data mapping, and tips for compliance.

Introduction of speakers Ledeslav and colleague, both privacy lawyers from Legality Group, specializing in GDPR and other data protection laws.

The importance of data mapping for GDPR compliance, helping to identify and minimize unnecessary data storage.

GDPR principles require data to be processed only for specified, limited purposes, and data inventory can assist in this.

Data mapping is crucial for maintaining records of processing activities as mandated by Article 30 of GDPR.

Involvement of third parties in data flows and the necessity to document data sharing practices.

Data inventory facilitates the process of responding to data subject access requests under GDPR.

Data mapping aids in identifying impacted data subjects and responding to security incidents.

The webinar discusses the creation of a data map, emphasizing understanding data sources and GDPR roles.

Examples provided to illustrate the concept of data controllers, processors, and subjects in different scenarios.

Importance of identifying data recipients and the destinations of data transfers, especially regarding third countries.

Tips for data inventory include understanding which data is considered personal under GDPR.

Clarification on the roles of data controllers and processors, and how companies can act as both.

Utilization of data maps and records for handling data subject requests and understanding data storage locations.

Advice on specifying data categories, retention periods, and the necessity of regular reviews of data flow maps.

Highlighting the need to understand the exact information maintenance requirements as per Article 13 of GDPR.

Closing remarks include a call to action for supporting Ukrainian children through the company's charity program.

Transcripts

00:00

data inventorization according to gdpr

00:03

um

00:05

can we have a presentation displayed

00:06

thank you yeah um you can see the topic

00:10

uh of our webinar right now it's data

00:13

interaction according to gdpr uh today

00:16

we will talk about um

00:20

several topics on this

00:23

um schema

00:25

the agenda of our webinar will be first

00:28

of all the understanding of data flows

00:29

of your company as the first step to

00:32

hdbar compliance

00:33

secondly we will try to draw a data map

00:36

and thirdly we will

00:40

include some tips for data minimization

00:42

and

00:43

understanding the applicable laws

00:45

regarding the data militarization

00:49

we will shortly introduce ourselves my

00:51

name is ledeslav i am a privacy lawyer

00:54

in legality group we work on

00:57

different um projects regarding uh

01:00

s-gdpr and ccpa other

01:04

international data protection laws um

01:06

and my colleague

01:08

yeah hello my name is uh

01:12

i am also a privacy lawyer uh working

01:14

for legality group

01:16

and today we will talk about uh data

01:19

militarization according to gdpr about

01:22

what uh what yosof has said before yeah

01:25

nice to meet you

01:27

yeah

01:28

and a short framework we wanted to pay

01:31

your to draw your attention to the

01:33

uh

01:34

to the war in ukraine and our charity

01:36

program developed by our company

01:39

despite the difficult situation which

01:42

forced many of our

01:45

many of our many of ukrainians

01:48

go to the war and many of children

01:51

move from their cities

01:54

because of the shellings

01:56

we continue to work and we provide

01:59

consultations to our at army as well as

02:01

take part in the information exchange to

02:04

ensure that

02:06

the children in need are supported

02:07

regardless of their uh whereabouts in

02:10

any way possible and you can also

02:12

help the children by

02:15

donating

02:18

according to our requisites which you

02:20

can find on our website uh in the

02:22

charity

02:25

page

02:26

yeah so uh thank you for your attention

02:28

again this topic um and we will move to

02:30

the topic of our webinar

02:34

i give the word to my colleague first of

02:36

all

02:37

okay

02:38

thank you for supporting children again

02:43

and

02:43

let's go back to the gdpr

02:47

today we're going to talk about

02:50

terms such as data inventory and

02:54

data mapping and

02:56

how this connects with gdpr namely gdpr

03:00

principles records of processing

03:02

activities

03:04

third parties fulfilling data subject

03:07

requests responding to security

03:09

incidents and so on

03:12

firstly we need to understand

03:14

what the term data inventory or data

03:17

mapping does mean within the gdpr or

03:21

other applicable laws

03:23

these terms are synonyms

03:25

very basically

03:27

personal data inventory or personal data

03:30

map is a record of personal data

03:32

processed by a company which can be

03:35

expressed in the variety of forms such

03:37

as lists

03:39

diagrams tables and so on

03:43

overall the process of data making helps

03:47

companies to understand what information

03:50

including what personal data the company

03:52

collects stores or otherwise processes

03:57

okay

03:58

that's clear so

04:01

we can talk about principles of the gdpr

04:04

and connections

04:06

to data inventory

04:10

the article 6 of the gdpr sets out six

04:14

principles that controllers and

04:17

processors should follow

04:19

when they process personal data in

04:22

europe

04:23

we would like to point out that

04:26

supervisory authorities often

04:29

impose fines on companies for violating

04:33

gdpr principles so

04:36

you obviously have to pay special

04:37

attention to those principles

04:40

when you process personal data

04:42

and

04:44

having a data inventory or having data

04:47

mapping

04:48

help you in compliance with

04:51

those

04:52

principles

04:53

it means

04:54

that

04:55

you need to process personal data

04:59

only with accordance with those

05:02

principles for example gdpr provides

05:04

with

05:06

purpose limitation and storage

05:08

limitation principles

05:10

and that means that you need to process

05:12

personal data only for specified

05:15

purposes and for no longer

05:18

for which

05:20

the data is used and for the work

05:24

that

05:25

this data

05:27

for one case then you need this data for

05:30

these purposes

05:31

and creating a data inventory can help

05:34

you identify all these purposes and

05:37

specifies the exact time period for

05:40

processing this personal data

05:43

and

05:44

in this way

05:46

you minimize the risk that you will find

05:49

out yourself in situations

05:52

this situation

05:53

when you have

05:55

in your database unnecessary data

05:59

that stores for a limited period of time

06:02

which is bad

06:04

and let's talk uh a little bit of uh

06:08

records of uh processing activities

06:11

uh the data inventory and data mapping

06:15

is closely related to the maintaining of

06:18

records of processing activities or

06:20

europa

06:21

maintaining of europa is a direct

06:24

obligation for certain controllers and

06:28

processors under article 30

06:31

of the

06:33

they gdpr

06:34

said that

06:35

you can make

06:37

your data inventory or data making in a

06:40

variety of forms but

06:43

the list of required information

06:45

on the maintaining the records of

06:48

processing activities is strictly

06:50

specified in article 30.

06:53

such information should include

06:56

name and contact details of the

06:58

processor

07:00

the applicable joint controller

07:03

controller representative and dpo such

07:06

information may also include

07:08

the purposes of processing description

07:12

of the categories of data subjects and

07:15

the categories of personal data

07:17

processed

07:18

information regarding international data

07:21

transfers

07:22

storage period and

07:24

applied organizational and technical

07:27

measures such

07:28

as anonymization

07:31

vpn access control physical security and

07:35

so on and so on

07:36

it's really hard to identify and list of

07:40

such information but if you have data

07:42

inventory or data map it becomes much

07:46

easier for you to complete this task

07:51

and also we should talk about

07:54

third parties and their role in new data

07:57

flow

07:58

the involvement of third parties has

08:02

great importance nowadays

08:04

because many companies

08:07

use

08:08

crm systems cloud technologies uh other

08:12

different marketing platforms and so on

08:16

and because the personal data you

08:19

collect may be shared with third parties

08:21

we need to include information about

08:24

site sharing in your data format

08:27

firstly it is good to identify all third

08:30

parties to whom you can transfer your

08:33

personal data

08:34

personal data of your users and then it

08:38

is good to

08:39

identify what personal data can be

08:41

transmitted

08:42

and for how long

08:45

please

08:46

also note

08:48

that

08:49

you may obtain

08:51

such personal data

08:53

not directly from data subject but from

08:56

other third parties and when it happens

09:00

you should

09:00

include information about such

09:03

transmissions in your data for map

09:07

as well

09:08

and also

09:10

you should note

09:11

that

09:13

some personal data

09:14

companies can obtain

09:17

automatically for example through api or

09:21

sdk

09:22

and such information should be included

09:25

in

09:26

data for map

09:28

maps excel

09:30

also we should talk a little bit about

09:33

satisfying the rights of data subjects

09:37

under gdpr

09:39

and the

09:40

maintaining of data inventory and data

09:44

map

09:45

also helps in such situations

09:49

and let's imagine uh situation uh you

09:52

have you are owner of uh platform which

09:56

puts processes uh

09:58

personal some personal data of users

10:01

and

10:03

one day you obtain a dsr data subject

10:07

access request from one of your users

10:09

and

10:10

[Music]

10:11

this email

10:13

user asks you to provide

10:16

them with all information you have on

10:19

them

10:21

firstly we need to understand what

10:23

information do you have

10:25

about

10:26

this

10:27

person

10:29

you think and you remember that

10:32

this user

10:34

has an account on your platform so you

10:37

have a name surname and maybe phone

10:40

number

10:41

but

10:42

at this time you also remember that

10:47

this user can provide feedback

10:51

on your platform and

10:53

you can also collect some insights about

10:56

users behavior through cookies and

11:00

other tracking technologies and you also

11:03

had a conversation with these users two

11:07

months ago so you have a lot of

11:09

information about these users and it's

11:13

really hard to identify all this

11:16

information that you have without data

11:18

making but if you have data inventory or

11:21

data mapping

11:23

i think it becomes

11:24

more easier

11:26

and

11:28

for for identifying all pieces of

11:31

information yeah

11:33

and

11:35

the last but not least

11:38

responsible security

11:40

incidents

11:41

how does data making can help

11:44

in such situations

11:46

here

11:47

similar to satisfying data subject

11:50

requests data mapping can also help you

11:54

to respond to such incidents

11:57

of course

11:58

you need to have

12:00

information security policies for

12:02

handling such requests

12:05

or personal data breach under gdpr with

12:08

strict rules how to react in a

12:10

particular situation when security

12:13

incidents is occurred but if you have

12:16

data inventory you can more swiftly

12:20

identify impacted

12:22

data subjects

12:23

in case of data breach and

12:26

under gdpr there are notification

12:29

timelines for notification of data

12:31

subject and for notification supervisory

12:35

authority and communication to data

12:38

subjects

12:39

so the time saved can help you to meet

12:43

these requirements

12:45

under gdpr

12:48

i think that's all from me for this

12:51

topic

12:52

and what

12:54

you can go on

12:55

yeah thank you

12:56

um so i would like to

12:59

talk about

13:00

how to draw your first data map as my

13:02

colleague have already mentioned data

13:04

flow maps are one of the essential parts

13:07

of the gdpr audit and ongoing gdpr

13:09

compliance

13:11

before we begin to grow

13:13

we need to understand what subjects

13:16

takes take place in the processing

13:18

activities of your company namely from

13:20

whom and what personal data you collect

13:23

and what are the third parties or

13:25

service providers you share your you

13:27

share personal data with

13:30

and what roles do all of the subjects

13:32

have under gdpr it may be data

13:34

controller or joint data controller data

13:38

processor or data subject if you want to

13:41

simplify it in order to understand the

13:43

basic concepts data subject is the one

13:46

who whose data is collected uh for some

13:49

purposes uh data controllers

13:52

uh on on

13:54

on his site defines the means and

13:56

purposes of such collecting so it uses

13:59

personal uh data for its own goals us

14:02

and if um there are several data

14:04

controllers and they define

14:06

and then define uh means and purposes

14:08

together uh that's the important point

14:10

uh that they do it together uh they will

14:13

be joined data controllers and the gdpr

14:16

and data processor is the one who acts

14:18

on behalf of data controller and

14:20

processes personal data not in

14:22

his or her own purposes but in

14:24

accordance with

14:25

the purpose defined by the data

14:26

controller

14:28

it may seem a bit abstract um and

14:31

unclear when we talk about it uh

14:32

theoretically so it's better to show an

14:35

example uh so let's imagine you have a

14:37

soft software development company and

14:40

you need to uh draw um your data map

14:45

with regard to the services due to our

14:47

search

14:48

outsource services you provide to your

14:50

clients

14:51

so uh take a look at this map

14:54

firstly you need to

14:56

understand what are the sources

14:58

from which you receive personal data uh

15:00

in this case uh like on the map uh you

15:03

may see the following services sources

15:06

uh data collected from a visitor who is

15:08

a visitor we usually call uh an

15:11

individual a visitor when he or she just

15:14

merely browses the website and leave no

15:16

personal data except

15:18

some technical identifiers which are

15:21

collected

15:23

excuse me do you hear me

15:26

everything's fine uh okay uh sorry um it

15:28

may be um

15:30

i'll begin uh we usually call uh an

15:32

individual visitor when he or she just

15:34

merely browses on the website and leave

15:36

no personal data except

15:38

some technical identifiers which are

15:40

usually collected by cookies it may be

15:42

ip gps

15:45

country of visit time of the site with a

15:47

duration of such visit and etc so uh the

15:50

source of receiving such data is usually

15:52

the website secondly you may see uh

15:54

potential clients who are these guys uh

15:57

these are the people who leave their

15:59

personal data using for example contact

16:02

us contact us form on the website um or

16:05

using email or phone number

16:07

these are usually the people who are

16:09

interested in your services and they

16:11

leave their data for further

16:13

communication regarding such services

16:16

and thirdly um

16:18

let's imagine that your company is

16:19

looking for

16:20

more i.t specialists so you also use

16:22

your website

16:24

email and phone number to collect data

16:25

about the potential employees

16:27

and such data is needed um of course for

16:30

communication with

16:32

such employees so as you will see as you

16:34

may see all of the data

16:37

company collects as a data controller

16:41

it uses

16:43

companies in such

16:46

processes is the data controller because

16:49

it uses uh such data in uh its own

16:51

purposes for example we stress data may

16:54

be used for analytics to understand uh

16:56

user's behavior on the website what's uh

16:58

for example uh

17:00

from from where uh uh the majority of

17:03

the users uh and then potential clients

17:06

data for uh maybe used for communication

17:08

with such clients regarding the services

17:10

and the police data for communication

17:12

regarding the employment process

17:14

uh then please take a look at the

17:16

company's great icon uh so as you may

17:18

see that same company may act uh as a

17:21

data controller and a data processor but

17:23

with regard to different uh processing

17:25

activities

17:26

uh so in the case of typical software

17:29

development companies the most

17:30

widespread situation is one client which

17:34

asks for software development services

17:36

is the data controller and the company

17:38

who performs such services is the data

17:41

processor

17:42

why is it so imagine your client has a

17:45

for example fitness software which

17:48

collects some personal data from its

17:49

users then these clients as this client

17:52

asks you to develop a new feature for

17:54

this software uh providing you with

17:56

success to the dates that this

17:57

application collects

18:02

then

18:04

so so client collects personal data from

18:07

application users in its own purposes

18:09

and therefore uh it is the data

18:12

controller as we have already discussed

18:14

and then uh

18:15

it transfers such data to your software

18:17

development company which act as a data

18:19

processor because uh it uses such data

18:22

only on behalf and in accordance with

18:24

the order of the client so

18:26

your company does not define the means

18:28

and and purposes of the processing thus

18:30

you are the data processor in this case

18:33

and what happens with the collected data

18:36

next you can

18:38

look above

18:40

the company's icons

18:42

uh so such data may be transferred to

18:44

different data recipients uh

18:48

they could be really really different uh

18:50

depending on the specifics of this

18:51

service we have identified most common

18:55

use of service providers these are the

18:57

cloud storages crms and analytics

18:59

services

19:01

the same story is about your contractors

19:03

we have defined them as the separate

19:05

category

19:06

because often companies attract

19:08

contractors for accomplishing specific

19:10

tasks for example it could be marketing

19:13

specialists technical specialists

19:14

lawyers uh search engine analysts and uh

19:18

so on

19:19

they all will act as data processors

19:21

because uh they process personal data

19:23

only in accordance with yours or your

19:25

company's instructions uh inside the

19:28

scope of provision of

19:30

your services

19:31

what's uh

19:32

is also important uh take a look at

19:35

arrows

19:36

which show what data what data are

19:39

transferred during particular processing

19:40

activity it may be important if you

19:43

transfer uh for example only a

19:44

particular category of data to one of

19:46

the data recipients for example you use

19:48

two cloud storages one for client states

19:50

and another one for visitors data

19:52

therefore you need to make it clear on

19:54

your map

19:56

also it's very important to see their

19:57

destinations where you transfer your

19:59

personal data as on the gdpr there are

20:02

additional rules concerning data

20:03

transfers to so-called third countries

20:06

so the countries outside of the european

20:09

union and european economic area

20:12

so it's better to understand what

20:13

additional safeguards you need to

20:15

implement to justify

20:17

such transfer for example conclude the

20:19

data protection agreements which include

20:21

standard contractual clauses developed

20:22

by the european commission it's one of

20:24

the

20:25

gdpr requirements

20:28

so

20:29

i guess

20:31

that's all about the map if you have any

20:34

questions you may ask of course and we

20:36

will

20:37

move forward

20:39

to the topic of the tips for that

20:41

inventorization and how to understand

20:42

the applicable laws and i'll give the

20:44

word to michael league

20:48

okay

20:48

thank you

20:50

uh

20:51

the next topic is

20:53

tips for data memorization understanding

20:56

applicable laws and we want to share

20:59

with you

21:00

some tips and tricks regarding data

21:03

inventory and

21:05

data maintenance and the applicables

21:08

namely gdpr

21:10

firstly

21:11

it is important to understand

21:14

which of the data you processed is

21:16

personal

21:18

personal data is any information

21:20

relating to

21:22

identified or identifiable natural

21:24

person

21:25

it can be not only name or surname but

21:28

email ip address

21:32

nickname

21:33

date of doors

21:35

and so on so

21:37

and

21:38

the most important that such

21:40

information can help

21:42

to identify

21:44

such

21:45

a person

21:47

and

21:48

you should note that not every piece of

21:50

data is a personal data

21:53

for example anonymized data cannot be

21:56

regarded as personal data under gdpr

22:00

and

22:01

we have an example

22:03

quite often platforms for any reason

22:07

reasons

22:09

block

22:10

their users and

22:12

then anonymize

22:14

their email

22:16

used for creating an account on the

22:19

platform and stored hashed email without

22:24

storing actually personal data

22:27

and

22:28

this solution kills two birds with one

22:31

stone

22:32

you

22:33

doesn't

22:34

allow to create a new account

22:37

on the platform

22:38

and at the same time you do not store

22:42

any personal data because you store only

22:45

cash

22:46

and

22:47

this is good

22:50

also you should know

22:52

about

22:53

your roles under gdpr and about location

22:56

of such roles

22:59

honestly it is not a simple task because

23:03

allocation of roles

23:05

and gdpr can be tough in most situations

23:09

but

23:10

you should remember that the main two

23:13

roles under gdpr is a controller or a

23:16

processor and controller is a company

23:20

that determines the purposes and means

23:22

of the processing of personal data

23:25

namely how and why personal data should

23:28

be processed

23:30

and the processor is a company that

23:32

processes personal data on behalf of the

23:36

contrary

23:38

we

23:39

want to point out

23:41

that

23:41

the companies that

23:43

collects personal data can be both a

23:47

controller and a processor what has

23:50

talked about this

23:52

but

23:53

i want to

23:55

give you an example

23:57

a processor can collect some personal

24:00

data

24:02

on behalf of a controller and the

24:07

striking example

24:10

of

24:11

allocation of rows

24:13

is the

24:14

operation of payment processors

24:17

where the payment

24:18

processor

24:19

collects some personal data of

24:22

from users directly and in this case the

24:27

payment processor who collects who

24:29

actually collects personal data will be

24:31

a processor acting on behalf of their

24:34

client controller who even

24:38

cannot have

24:40

any

24:40

payment data of users but only reports

24:45

of complete and completed payments for

24:47

example

24:49

and

24:51

we also advise you to utilize

24:53

your data maps

24:55

data inventory records of processing

24:58

activities when you're working with

25:01

data subject

25:03

access

25:04

requests

25:06

and

25:07

we already looked at the case of

25:11

data subject access request

25:14

but this also applies to

25:17

handling with other requests as well

25:19

for example when you handle with

25:22

direction requests

25:24

you can check in your data inventory and

25:27

records of processing activities

25:30

where and what personal data can be

25:32

stored about

25:34

this particular user and

25:37

by doing that

25:38

you can also understand whether you can

25:41

satisfy this data subject uh requests at

25:45

all

25:46

because

25:48

there is a situation uh that

25:52

it may be situations that

25:55

you may find out

25:57

that

25:58

you have other legal grounds for

26:00

processing of such personal data

26:04

and

26:05

the

26:06

you can find out that you have no

26:09

information

26:10

about

26:11

this data subject and you can receive

26:14

these requests

26:16

by mistake and

26:18

you cannot satisfy this request because

26:20

you have no information about this user

26:22

it happens to

26:24

and

26:26

i think that's all tips i wanted to

26:28

share with you so what

26:31

yeah i would like to address

26:33

three more tips

26:35

i

26:36

want you to pay attention to

26:39

the

26:40

necessity to specify the categories of

26:42

data you collect so depending on the

26:44

service depending of your uh platform uh

26:48

it could be different categories for

26:50

example contact information is uh the

26:52

most common case um

26:55

this could be like email phone number

26:57

full name uh username in social medias

26:59

and so on uh message information is um

27:03

also common

27:06

it is all of the information which could

27:08

be

27:09

treated as personal data

27:12

which you receive during messaging

27:14

during communication with your clients

27:16

financial information

27:19

is used for for example issuing an

27:21

invoice

27:23

or other payment operations when you

27:25

have some paid services you may collect

27:28

also financial

27:29

information about your users

27:31

and one of the most important and

27:34

sensitive topics is the sensitive data

27:37

as if your

27:39

service

27:40

is connected for example with some

27:42

medical

27:43

services medical issues and you collect

27:46

medical data for example from your uh

27:48

clients it is very important to identify

27:51

uh that

27:52

such type of data is being collected by

27:54

you because uh there are

27:57

additional uh requirements to the

27:59

collection of such data

28:01

on the gdpr you need to

28:04

receive for you to obtain um

28:06

an explicit consent uh for example to

28:08

collect such data lawfully

28:11

uh when you have specified the

28:13

categories of the data you collect um it

28:16

is very important to understand the

28:18

retention periods of such data so uh it

28:21

may vary from

28:23

different categories for example um

28:26

some technical data collected via

28:27

cookies

28:29

maybe

28:30

may be stored uh even like for a session

28:32

or for a day and uh other data the

28:36

contact information may be used by a

28:38

company like for for several years

28:40

because um you have the purpose of

28:42

retargeting your previous clients with

28:45

new features of your service with

28:48

new services so you need to identify

28:52

the retention periods for different

28:54

categories of data and if you cannot

28:56

identify such periods

28:58

for some reasons you need to specify the

29:01

criteria by which you

29:04

delete or store some data

29:07

also

29:08

[Music]

29:09

these retention periods

29:13

should be

29:14

tracked

29:15

in compliance with the storage

29:17

limitation principle of gdpr which

29:20

obliges data controllers to store

29:22

personal data only

29:24

for the period which uh for which such

29:26

data is needed so for example if you do

29:28

not need

29:30

any data you shall delete it on the

29:32

hdbar uh also uh purpose limitation um

29:36

principle

29:38

of gtpar is a bit similar uh similar so

29:41

you you collect every piece of data um

29:45

and you base uh such a collection on the

29:48

particular

29:49

purpose and for example if you do not uh

29:53

some amount of data for their particular

29:56

purpose for example you collect a photo

29:59

of your user uh for

30:01

the communication purposes with him

30:05

it is not essential so

30:07

such data

30:08

may not be used and

30:10

to comply with the purpose limitation

30:12

principle it is important to understand

30:14

uh the limits of uh the data collection

30:18

and also it's important to understand

30:20

where is data stored some of the

30:22

companies use their own services

30:25

server servers excuse me

30:28

and some companies

30:30

use cloud storages it's very popular now

30:34

and you need to understand where such

30:36

cloud storage is for example are servers

30:38

located because if uh they are outside

30:41

of the european uh

30:43

union and european economic area you

30:45

need to implement additional safeguards

30:47

to protect such data

30:54

also

30:55

you need

30:57

moving to the next tip

30:59

also i would advise you to perform a

31:01

regular review of your data flow maps

31:03

and records of processing activities

31:05

especially while you implementing or

31:08

removing some new features

31:11

which

31:13

make you to collect more personal data

31:14

for example

31:16

as we have

31:17

discussed the software development

31:19

company on the data map you decided to

31:21

uh

31:22

develop your it courses and you collect

31:25

uh

31:26

some data for the

31:28

enrolling on such courses

31:30

you for example collect education data

31:33

or

31:34

certificates of english knowledge

31:37

so uh you have a new categories of data

31:40

and you need to um

31:42

you need to update your data maps and

31:44

records of processing activities with

31:46

regard to such

31:48

new

31:49

processing activities

31:51

uh and

31:52

the last but not least tip for today

31:55

you need to understand the exact amount

31:57

of information you need to maintain

31:59

in accordance with article 13 gdpr i

32:02

would recommend you to

32:04

read to

32:05

examine this article which says that

32:08

controllers

32:09

shall maintain a record of processing

32:11

activities but that record shall contain

32:13

um the information uh the particular

32:16

amount of information so is the name and

32:18

the contact details of the controller so

32:20

uh of your company for example

32:22

uh the purposes of processing uh a

32:25

description of categories of data

32:27

subjects and uh categories of personal

32:30

data

32:31

uh the categories of recipients so whom

32:33

the personal data have been

32:36

will be disclosed

32:37

and where applicable

32:39

uh information about the transfers of

32:41

personal data to a certain country

32:43

uh and um

32:45

general uh description of technical

32:48

organizational security measures so i

32:50

would like you to note that um

32:53

it's

32:53

the article the this article of gdpr

32:56

asks uh only the categories of data

32:59

subject the categories of personal data

33:01

and the categories of recipients so you

33:02

do not need to

33:05

to disclose uh the particular

33:08

piece of date as a particular

33:11

data recipient or as a particular data

33:13

subject it could be only the category so

33:15

as we have discussed on the data map

33:17

slides um it could be like visitors or

33:19

clients you don't need to say that john

33:22

smith's data you have collected and put

33:26

that in your records of processing

33:28

activities

33:29

uh so do not maintain uh unnecessary

33:31

data and do it in compliance um with

33:35

in accordance with the article of gdpr

33:40

um

33:41

i guess um that's all we wanted to tell

33:43

you today uh we would like to thank you

33:46

for your attention and to ask you to

33:48

subscribe to our

33:50

youtube channel uh for our new for new

33:53

legal webinars to track our updates on

33:56

our social medias and i would like to

33:57

remind you one more time to

34:00

uh to donate if you have a an

34:02

opportunity to help the children of

34:04

ukraine

34:06

and eager

34:08

yeah yes thank you for attention

34:10

and i also would like to remind you

34:14

that you can help ukrainian children

34:18

you can find information about this

34:22

on our charity page

34:24

the links

34:25

you can find the links in the chat or in

34:29

the description of this webinar on

34:32

youtube linkedin instagram

34:35

and facebook

34:38

and

34:39

i guess we can say goodbye yeah thank

34:42

you thank you

34:44

bye

Browse More Related Video

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

Your Personal Data Inventory Top Tips & Brexit Impact 161220

How to Implement GDPR Part 2 :Roadmap for Implementation

Privacy - CompTIA Security+ SY0-701 - 5.4

The Data Flow Mapping Tool – the quick and easy way to document personal data processing

How to create a ROPA (Record of processing activity), GDPR Article 30

Rate This

★

★

★

★

★

5.0 / 5 (0 votes)

Related Tags

GDPR ComplianceData InventoryData MappingPrivacy LawWebinar SeriesData ProtectionLegality GroupCharity SupportUkraine CrisisData SecurityPersonal Data