What are the Fundamental Principles of Privacy?
- Lawfulness, fairness, transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
What are a Subject’s Data Rights?
Right to:
- Information
- Access
- Rectification
- Erasure
- Restrict Processing
- Data Portablility
- Object
- Automated Decisions
Personal Data VS Sensitive Personal Data
- Personal Data identifies a person
- Sensitive Personal Data is more Sensitive and Tightly Guarded Data
Different the Conditions for Two Fine Tiers in the GDPR
- Tier 1: Failing to meet Processor obligations, failing to appoint a DPO
- TIer 2: Breaching core principles, breaking data subject rights.
What is the Time Window for Notification for Data Breaches in GDPR Compliant Organizations?
72 Hours
What are the Lawful Bases for Data Processing in the GDPR?
- Freely given, informed consent
- Necessary contract
- Required legal obligation
- Vital interests of user
- Public task or local authority
- Legitimate interests
What are the Key Obligations in the GDPR?
- Privacy by design and default
- Data Protection Impact Assesments (DPIAs)
- Data Protection Officer (DPO)
- Data Breach Notification
- International Data Transfers
What are the Two Tiers of Fines in the GRPR?
- Up to 10 million euros or 2%
- Up to 20 million euros or 4%
What is the GDPR?
Europe’s General Data Protection Regulations
What is the HIPAA?
The US’ Health Insurance Portability and Accountability Act sets standards for patient health information protection
What are the Primary Goals of HIPAA?
- Health insurance portability
- Combating Healthcare fraud and abuse
- Protecting patient health information
- Ensure electronic personal health information security
Who are the HIPAA-covered entities
- Health providers
- Health planners
- Clearing houses
- All business associates from above
What is the Time Window for Notification for Data Breaches in HIPAA Compliant Organizations?
60 Days
What actions are permitted without authorization in HIPAA?
- Treatment
- Payment
- Healthcare Operations
What are some actions that are not permitted without authorization in HIPAA?
- Marketing
- Sale of PHI
- Psychotherapy notes
What are the HIPAA Penalty Tiers?
Per Violation:
1. $100 - $50,000 (Didn’t know or couldn’t have known)
2. $1,000 - $50,000 (Reasonable cause)
3. $10,000 - $50,000 (Willful neglect, corrected within 30 days)
4. $50,000+ (Wilful neglect, not corrected)
What is the UAE PDPL?
The UAE’s Personal Data Protection Law is the UAE’s first comprehensive federal data protection law
What is the Scope of the UAE’s PDPL
- Controllers/processors in the UAE
- Processing of individuals in the UAE
- all Sectors
What is the Maximum Penalty of the UAE PDPL?
10 million dirhams (~ $2.7 million)
What are the UAE PDPL’s Data Processing Principles?
- Lawfulness and Fairness
- Purpose Limitation
- Data Minimization
- Accuracy
- Storage Limitation
- Security
- Accountability
What are the Legal Bases for Data Processing in the UAE PDPL?
- Clear, informed consent
- Contractual Necessity
- Vital interests of user
- Public Interest
- Legitimate Interest
What are the Data Rights of a Subject in the UAE PDPL?
- Information and Access Rights
- Correction and Deletion
- Control and Portability
- Sensitive data requires explicit consent or specific legal authorization
What is the Expected Subject Response Time in the UAE PDPL?
30 days (can be extended to 60 with justification)
What are the Controller Obligations in the UAE PDPL?
- Privacy by Design and Default
- Data Protection Impact Assessment
- Data Protection Officer
- Data Breach Notification
- International Transfers
