Difference between revisions of "GDPR"

From SOBAC Wiki
Jump to navigation Jump to search
Line 78: Line 78:
 
::The report said investigators didn't find any official documentation about what information Microsoft collects through Office and no way of turning Office telemetry off, raising a serious privacy concern for all current Office users, regardless of geographical location.
 
::The report said investigators didn't find any official documentation about what information Microsoft collects through Office and no way of turning Office telemetry off, raising a serious privacy concern for all current Office users, regardless of geographical location.
  
 +
* [https://page.bdo.ca/gdpr-compliance/ BDO white paper on GDPR compliance in Canada]
 +
* [https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en European Commission GDPR webpage]
 +
* [https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ UK International Commissioner's Office guide to the GDPR]
 +
* [https://www.canadianlawyermag.com/article/getting-ready-for-gdpr-3607/ Canadian Lawyer Magazine article on Getting Ready for GDPR]
 +
* [https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/ Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada
  
  

Revision as of 10:48, 14 January 2019

GDPR

Date
Monday, 14 January 2019 from 7:00pm to 9:00pm iCal
Meetup Event
https://www.meetup.com/NetSquared-Kitchener-Waterloo/events/255516932/
Location
*** Room 1300 *** -- Conrad Grebel University College, 140 Westmount Rd. N., Waterloo, Ontario Map
Event Announcement
GDPR/Announcement 2019-01-14

Does your Non-Profit organization collect personal data on people? People in Europe? And what is Personal Data anyway? Does your organization have an office in Europe? Store data in Europe? Process data in Europe? What is the General Data Protection Regulation (GDPR)? Does it apply to your organization? What policies does your organization need to have? What technical measures need to be in place? What's the SysAdmin's role in all this? Could a SysAdmin be liable?

Marc Paré will provide us with an overview of the GDPR, and outline some of the concerns for Non-Profit SysAdmins.

--Marc Paré & Bob Jonkman

Talking Points

  • General Data Protection Regulation (GDPR)
    • European Commission
      • set the GDPR standards
    • Data Protection Agencies (DPA) (e.g. Information Commissioners Office ICO in the UK)
      • In charge of administering the GDPR in their respective countries
    • In force as of 25 May 2018
      • primarily applies to controllers and processors located in the European Economic Area (the EEA) with some exceptions
      • applies to any site servicing or selling goods to European users
      • all sites must adhere to GDPR except any personal websites
    • Types of data
      • clear reason for data collection
    • Consent
      • requires use of positive opt-in consent and NOT pre-ticked consent or use of double-opt-in
      • requires site's statement of consent must be clear and explicit
        • cannot re-purpose consent to another statement
      • user ability to remove consent should be easily accomplished
      • requires storage of consent for possible future audit trails
    • Data Storage
      • clear defined use and length needed to store information
      • storage of personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes
      • data collection must be necessary
      • users have the right to access, rectify, erase, restrict, restrict portability of data
      • restricts the transfer of personal data to countries outside the EEA, or international organizations
    • Types of data collection groups (2)
      • Controllers and Processors
    • Data Protection Officers (DPO)
      • individual in charge of data storage and adherence/compliance to GDPR for companies over 250 employees or if collecting large personal sensitive data
      • DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level
      • DPO may be shared amongst multiple organizations
      • you must appoint a DPO if
        • your site requires large scale tracking
        • you are a public authority or body
        • your site collects data on criminal convictions/offences
        • appointing a DPO is suggested as best practice
    • Data Breaches
      • requires that data is stored securely
      • encryption is suggested
      • breaches reported withing 72hrs
      • keep record on any breaches
      • have breech policy
    • Non-compliance fines
      • up to 20 million euros or 4% of annual revenues
    • GDPR Certification
      • framework is still not available but forthcoming

GDPR and Canadian Privacy Laws

    • Personal Information Protection and Electronic Documents Act (PIPEDA)
      • aligns more or less with GDPR
      • updated as of 01 November 2018
      • mandatory reporting of breeches to users and to Privacy Commissioner
        • more fine grained reporting on breech policy and record keeping
      • fines up to $100,000

Resources

They said Microsoft engages in this telemetry collection covertly and without properly informing users.
The report said investigators didn't find any official documentation about what information Microsoft collects through Office and no way of turning Office telemetry off, raising a serious privacy concern for all current Office users, regardless of geographical location.