gdpr & lol digital propertiesgdpr basics the general data protection regulation (gdpr) is a...
TRANSCRIPT
GDPR & LOL Digital Properties
Internal Use
GDPR BasicsThe General Data Protection Regulation (GDPR) is a far-reaching privacy law governing the collection & use of personally identifiable information (PII) of European Union (EU) citizens and residents.
GDPR affects businesses “established” in the EU – meaning they have a physical presence within the EU – as well as businesses located outside the EU who:
• Offer goods & services for sale within the EU; or• Monitor the behavior of EU citizens & residents (think behavioral advertising or
what EU regulators call “profiling”).
The maximum penalties are severe: € 20,000,000 or 4% of total annual revenue –whichever is greater. To put that in context, LOL’s 2017 revenue was $13.7 billion. 4% of that is $548,000,000.00.
GDPR goes into effect May 25, 2018.
Internal Use
GDPR’s Data Principles
GDPR Data
Principles
Lawfulness
Purpose Limitation
Data Minimization
Data Accuracy
Storage Limitation
Integrity
Be transparent & fair
Collect data for specified &Legitimate purposes
Limit data collection to necessities
Keep updated & allow for user updates
Keep data only so long as is necessary
Data Security to protect against unlawful access/loss
Internal Use
Does GDPR Apply to What I’m Doing?If you operate a website that collects PII (such as IP address, contact information, etc.), then it is possible for nearly anyone in the world to access your site and provide you their PII.
If someone from the EU does this, do I need to comply with GDPR? Consider this 3-Part test:
• Does the business maintain a physical presence in the EU?• Does the business have employees in the EU?Established
• Does the business offer Goods or Services for sale in the EU?Goods or Services• This can be a difficult analysis, if the first two scenarios don’t
apply, but you are collecting data from EU individuals, please contact [email protected]
Internal Use
GDPR & Vendors
GDPR anticipates that many companies utilize 3rd party vendors to assist with business functions, including data processing.
If one of our vendors violates GDPR while performing those functions on our behalf, LOL could be held liable.
If you are working with a 3rd party vendor that could or will, process personally identifiable information from EU residents, please contact [email protected]
Data Subject
(the Person)
Data Controller
(LOL)
Data Processor(Vendor)
Internal Use
Other Considerations
• EU - US• Access = Transfer• Binding Corporate Rules
Cross-Border Transfer of Data
• Right of Access & Updates• Right of Erasure• Data Security
Technology
• Get Privacy involved early – GDPR requires documentation of how privacy is addressed
Privacy by Design
Confidential
Please contact Privacy with any questions or concerns regarding
GDPR compliance or whether GDPR applies to your project.
[email protected] [email protected]
Internal Use